CIS 359 Incident Response Revamp

Strayer CIS 359 Disaster Recovery Management, Assignment 2: Incident Response (IR) Revamp, Graded A, 9 pages, 1955 words
Imagine you have just taken over the manager position for your organization’s incident response team, after coming from another division in the company. Your first realization is that proper procedures, best practices, and sound technologies are not being utilized. You decide to revamp the team’s efforts.
Write a two to three (2-3) page paper in which you:
1. Explicate the main efforts that would be included in the incident response efforts, including but not limited to personnel and team structure, tools and utilities, and proper procedures.
2. Discuss in detail the role that an IDS / IPS would play in the IR efforts, and explain how these systems can assist in the event notification, determination, and escalation processes.
3. Explain how the NIST SP800-61, Rev. 1 could assist the personnel in classifying incidents so each is identified appropriately and the proper incident-handling procedures are taken.
4. Explain how the use of log management systems (e.g., Splunk) could be a legitimate and useful component of the IR efforts, and describe the potential issues that could arise if not utilized.
5. Use at least three (3) quality resources in this assignment.

Download Now
(sent via email)

Discussion one:

Determine what you believe are tf1e top two considerations tf1at should be addressed when forming tf1e CSIRT in terms of skills, abilities, procedures, training, deployment, etc. Member experience: Forming a successful and effective CSIRT depends on forming it with members that posses in the necessary skillsets, knowledge and experience in related disciplines. Such items include forensic analysis, malware investigation and cleanup, network administration, log analysis, data recovery, cryptography, documentation management and communication. Continuous training: In forming a CSIRT, it can’t just be assumed that training is a one-time process. Training must be treated as a continuous, ever-evolving process. As the nature of security changes, and new technologies a developed, threats are discovered and best practices change, all members of the CSIRT need to be kept current with necessary skills and knowledge. So, appropriate budgeting for annual training needs to be considered. Explain what you believe to be the most critical flaw or failure when it comes to CSIRT organization and preparation. Suggest ways management can avoid this pitfall altogether. 1 Unclear or undefined roles: If necessary roles are not clearly defined, or are not properly assigned to the correct staff, the ability to properly plan and respond to incidents when they occur. This can be avoided by ensuring that all necessary roles are clearly defined and assigned, and periodic reviews of those roles are performed. After that, performing tests with the CSIRT can help to uncover any unclear roles or improper assignments.

Discussion two:

From the a-Activity, explain in your own words the purpose of the Software Engineering Institute’s (SEI) exercises regarding team communication, and determine whether or not you believe this type of testing and analysis is a beneficial use of resources. Justify your answer. The purpose was to highlight the importance of proper and effective communication in incident response, and to demonstrate the how easily communications can break down and hinder the goals of IR. I think that anything that tests a team’s procedures in order to find weaknesses so they can be corrected is beneficial. It is always better to find weaknesses and other issues before an actual incident occurs. Based on the testing and analysis described in the e-Activity, indicate the two most important things that you believe are needed in order for cross-team communication to be successful when dealing with potential widespread incidents. The first would be a detailed, properly updated and maintained procedural checklist. .. a formal document that contains all necessary information on who to contact, when to contact them, and what information to exchange. All activity should be tracked in this document, as well. Who contacted who and when, what information was exchanged, and when follow-up will be performed. I guess I would have to say the other would be an effective policy and plan to enforce IR communication procedures. The policy should be regularly reviewed and updated, and the plan tested.