University of Maryland, University College CYB 670   PROJECT 2: INCIDENT RESPONSE PLAN

Document Content and Description Below

 University of Maryland, University College CYB 670   PROJECT 2: INCIDENT RESPONSE PLAN  University of Maryland University College Table of Contents I. Overview..4 Purpose and Scope.....4 ... Administration and Review...4 Mission....4 Strategy....5 II. Definitions.....5 Event..5 Incident....5 Triggering Event..5 Closure.....6 III. Roles and Responsibilities...6 Chief Information Officer6 Chief Information Security Officer....6 Legal Counsel6 Public Relations...6 Computer Incident Response Team...6 Law Enforcement.7 Users..7 IV. Preparation...7 Policies, Standards, Procedures, and Guidelines.7 Communications Plan8 Training and Exercises.....8 V. Defense....9 Active Defense.....9 Passive Defense...9 VI. Identification and Detection9 Reporting of Incidents...10 What to Report...10 VII. Response...11 Containment and Eradication.....11 Notifications.11 Investigations.....12 Incident Documentation.13 Breach Management13 VIII. Recovery.14 Appendix A: Types of Cyberattacks....16 APPENDIX C: INCIDENT RESPONSE CHECKLIST...19 References..27   I. Overview Purpose and Scope. The purpose of this document is to provide an actionable strategy for handling of cyber security incidents within the organization by establishing effective and efficient response guidance. The document outlines the cycle of handling cyber security incidents in five phases: preparation, defense, identification, response, and recovery. This document is not intended to be used as a complete list for handling cyber security incidents. This document offers guidance on handling incidents that affect the organization’s operational, financial, reputational standing. Administration and Review. This document is maintained by the cyber incident response team. The team developed the document with the assistance of system and network administrators, security personnel, information technology staff, the Chief Information Security Officer, Chief Information Officer, computer security program managers, and additional personnel involved in preparing for and handling cyber security incidents. Mission. The primary mission of the organization’s Information Technology department is to provide, secure and maintain the information systems of the organization. This will allow the organization to accomplish its overall operational objectives. The Information Technology department established a Computer Incident Response Team (CIRT) to establish and support cyber security incident planning and response. The CIRT is guided by the following principles. First, to identify and mitigate the impacts of cyber incidents to protect the organization, its people, and assets. Second, to provide for the security and protection of the organizations information technology infrastructure. Third, to safeguard the organization’s sensitive data from compromise, exfiltration, exposure, and disclosure. Fourth, investigate all cyber security incidents to the fullest extent of the organization’s authority.   Strategy. Quick and effective response to cyber security incidents can drastically impact the outcome of the incident. The goal of the response team is to mitigate the impact of the incident through detailed planning and coordinated response efforts. In order to accomplish this, the Information Technology department has employed cyber security best practices adapted from the National Institute of Standards and Technology (NIST) Special Publication 800-61. II. Definitions Event. An event is any observable occurrence in a system or network. An adverse event is an event with negative ramifications such as system crashes, malware infections, denial of service, etc. Incident. A violation of or imminent threat of violation of established computer security policies, acceptable use policies, or standard organizational practices. Additionally, an incident can be any event, assessed by the Information Technology Security staff, violates the organization’s code of conduct, or compromises the confidentiality, integrity, or availability of the network, information systems, or data on the network. When vulnerabilities in the system are detected, they will not be classified as incidents. When vulnerabilities are found the Information Technology department will assess the vulnerabilities and take appropriate actions such as notifying users, disconnecting impacted systems, or implementing mitigation techniques. Triggering Event. A triggering event is any event needing escalation to an incident. There is no precise definition of what triggers this plan but instead is based on the knowledge and experience of the staff. The overarching rule is when in doubt escalate to an incident. References Bejtlich, R. (2013). The Practice of Network Security Monitoring: Understanding Incident Detection And Response. San Francisco: No Starch Press. Bosworth, S., Kabay, M., & Whyne, E. (2009). Computer Security Handbook. Hoboken: John Wiley & Sons Inc. Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2016). Principles of Computer Security. New York: McGraw Hill. Deloitte. (2017). Demystifying Cyber Insurance Coverage: Clearing Obsticales in a Problematic but Promising Growth Market. Fischer, E. (2016, August 12). Cybersecurity Issues and Challenges: In Brief. Mandia, K., Prosise, C., & Pepe, M. (2003). Incident Response & Computer Forensics. Emeryville: McGraw-Hill. NIST. (2012). Guide for conducting risk assessments. NIST Special Publication 800-30 rev1. Retrieved January 7, 2017, from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf NIST. (2012, August). SP 800-61: Comupter Security Incident Handling Guide. Gaitherburg, MD. Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Official Study Guide. Indianapolis: John Wiley & Sons, Inc. The MITRE Corporation. (2011). 2011 CWE/SANS Top 25: Most Dangerous Software Errors. Common Weakness Enumeration. Retrieved from Common Weakness Enumeration: http://cwe.mitre.org/top25/index.html#CWE79   US-CERT. (2015, April 29). Alert (TA15-119A): Top 30 Targeted High Risk Vulnerabilities. Retrieved from United States Computer Emergency Readiness Team: https://www.us-cert.gov/ncas/alerts/TA15-119A Vacca, J. R. (2013). Computer and Information Security. Waltham: Morgan Kaufmann Publishers. [Show More]

Last updated: 3 years ago

Preview 1 out of 27 pages