Want help with copying the entire project to own words. Your job will be to copy the answers from (Document to copy it from. Answer sheet) to my (Project 1 Report Template). U will also have to copy or move the images as well.
1 1 1 Final Forensic Lab Name University Subject Date , 2022 Incident Response Plan The Incident Response Plan (IRP) documents the strategies, personnel, procedures, and resources required to respond to any incident affecting the system. The primary assumptions about the organization that will serve as the subject of this IRP include that it consists of one primary geographic location, has approximately 100 members, utilizes the standard Microsoft office suite for most administrative functions to include Outlook and Skype for email, text, and video communications, utilizes a database application for some customer and company records and services, maintains a public web site to provide information to customers and an internal web portal used for internal collaboration and guidance to organization members, manages its own VOIP phone service, has employees that work both on site and off site requiring secure remote access to applications, communication services, and networked storage and each employee will be provided with an EC2 instance with the expectation that the employee will access it from a personally owned or company provided device. Scope This IRP has been developed for the company’s private intranet which is classified as a moderate-low-low impact system for the three security objectives: confidentiality, integrity, and availability. Roles and Responsibilities The roles and responsibilities for various task assignments and deliverables throughout the incident response process are depicted in Table 1. The primary source utilized for Table 1 is the DCSA web site (DCSA Assessment and Authorization Process Manual, n.d.). Table 1 Roles and Responsibilities Roles Responsibilities Information System Owner/Program Manager (ISO/PM) - Incident Occurs The responsibilities of the ISO/PM when an incident occurs are listed but not limited to the following: - Providing the ISSM with updates to the Incident Response Plan, including identifying correction actions, determining resources required, documenting milestone completion dates, and addressing any residual findings. - Overseeing the development, maintenance, and tracking of the Incident Response Plan. - Enforcing training requirements for individuals participating in the Incident Response Plan. System Administrator The responsibilities of the SA are listed but not limited to the following: · Taking necessary precautions to protect the C-I-A of information encountered while performing privileged duties. · Documenting and reporting to the ISSM all system security configuration changes and detected or suspected security-related system problems that might adversely impact system security. · Comply with the Incident Response Plan requirements. Program Security Officer The responsibilities of the PSO are listed but not limited to the following: - Maintains the appropriate operational security posture for a system security program. Information System Security Manager/Information System Security Officer (ISSM/ISSO) The responsibilities of the ISSM/ISSO are listed but not limited to the following: · Developing, maintaining, and overseeing the system security program and policies associated with the Incident Response Plan. · Maintaining a working knowledge of system functions, security policies, technical security safeguards, and operational security measures. · Monitoring all available resources that provide warnings of system vulnerabilities or ongoing attacks and reporting them as necessary. · Ensuring audit records are collected and analyzed in accordance with the security plan. Roles Responsibilities · Monitoring system recovery processes to ensure security features and procedures are properly restored and functioning correctly. · Ensuring proper measures are taken when a system incident or vulnerability affecting systems or information is discovered. · Reporting all security-related incidents in accordance with the Incident Response Plan. Definitions Event An event is an occurrence not yet assessed that may affect the performance of an information system and/or network. Examples of events include an unplanned system reboot, a system crash, and packet flooding within a network. Events sometimes provide indication that an incident is occurring or has occurred. Incident An incident is an assessed occurrence having potential or actual adverse effects on the information system. A security incident is an incident or series of incidents that violate the security policy. Security incidents include penetration of computer systems, spillages, exploitation of technical or administrative vulnerabilities, and introduction of computer viruses or other forms of malicious code. Types of Incidents The term “incident” encompasses the general categories of adverse events listed below. It is important to note that these categories of incidents are not necessarily mutually exclusive. Data Destruction and Corruption The loss of data integrity can take many forms including changing permissions on files so that they are writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt. Data Compromise and Data Spills Data compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system he is not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output. Malicious Code Malicious code attacks include attacks by programs such as viruses, Trojan horse programs, worms, and scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem. Virus Attack A virus is a variation of a Trojan horse. It is propagated via a triggering mechanism (e.g., event time) with a mission (e.g., delete files, corrupt data, send data). Often self-replicating, the malicious program segment may be stand-alone or may attach itself to an application program or other executable system component in an attempt to leave no obvious signs of its presence. Worm Attack A computer worm is an unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques. A worm spreads using communication channels between hosts. It is an independent program that replicates from machine to machine across network connections often clogging networks and computer systems. Trojan Horse Attack A Trojan horse is a useful and innocent program containing additional hidden code that allows unauthorized Computer Network Exploitation (CNE), falsification, or destruction of data. System Contamination Contamination is defined as inappropriate introduction of data into a system not approved for the subject data (i.e., data of a higher classification or of an unauthorized formal category). Privileged User Misuse Privileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains. Security Support Structure Configuration Modification Software, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled since they are essential to maintaining the security policies of the system. Unauthorized modifications to these configurations can increase the risk to the system. Incident Response The company’s IRP shall follow the incident response and reporting procedures specified in the security plan. Upon learning of an incident or a data spillage, the ISSM will take immediate steps intended to minimize further damage and/or regain custody of the information, material or mitigate damage to program security. The primary source of the incident response and reporting procedures listed below is the Cyber Security Incident Response Template available online (Cyber Security Incident Response Template, n.d.). An additional resourced utilized specifically for Step 1: Preparation included the SecurityMetrics web site (6 Phases in the Incident Response Plan, n.d.). Incident response will follow the six steps listed below. Step 1: Preparation One of the most important facilities to a response plan is to know how to use it once it is in place. Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run. 1. The ISO/PM will ensure employees are properly trained regarding their incident response roles and responsibilities in the event of data breach 2. The ISSM/ISSO will develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan. 3. The ISO/PM and Program Security Officer will ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance Step 2: Identification Identify whether or not an incident has occurred. If one has occurred, the response team can take the appropriate actions. 1. The ISSM/ISSO will identify and confirm that the suspected or reported incident has happened and whether malicious activity is still underway. 2. The ISSM/ISSO will determine the type, impact, and severity of the incident. 3. The System Administrator and ISSM/ISSO will take basic and prudent containment steps. 4. The System Administrator or ISSM/ISSO will inform or activate the incident