ON BOTH SENARIO 1 (500 W) AND 2 (500 W) ANSWER ALL THE QUESTIONS
IF ANY CONFUSION PLZ MAIL
Assessment 3- Two Example Scenarios
- There has been an incident where the Telstra service to the head office was not working. As IT administrator, you have the incident response program. According to the program, you have activated the incident response and operation.
The outage happened due to an issue with unplanned outage in Telstra’s exchange. The outage continued for two hours. As a contingency, you have purchased an Optus 4G wireless broadband router. You have remotely shifted your services to that router and connected your wireless access point to the Optus router, so the staff was able to continue the work. This was part of your incident response plan.
- In another incident same day, an accountant mistakenly deleted files of a client. As part of incident response plan, you have recovered the data from the backup.
Complete the following steps to develop the incident response program on each occasion:
- Develop, and document, an incident management policy
- Identify the services the incident response team should provide. Record these services.
- Create the required incident response plans, according to ,and in line with the security policy and organisational goals
- Develop, and document, the procedures for incident handling and reporting
- Create exercises for incident response and red-teaming activities. Document these exercises and activities.
- Develop, and document, the processes to be followed for collecting and protecting forensic evidence during incident response
- Specify and document the staffing and training requirements for incident response
- Establish the response program. Provide the documented, established response program.
Implement the incident response program through completion of the following steps on each occasion:
- Apply response actions, in reaction to security incidents, according to the established policy, plans and procedures. Accurately record the application of response actions.
- Respond to and report incidents. Provide the documented incident reports.
- Assist in the collecting, processing and preserving of evidence. Document the evidence collected, processed and preserved.
- Execute incident response plans. Provide copies of all incident response plans executed.
- Execute the planned red-teaming activities and incident response exercises. Document the red-teaming activities and incident response exercises executed.
- In a timely manner, conduct debriefing to collect the lessons learned from incidents so they can be incorporated into review plans. Document the collected lessons learned.
- Collect, analyse and report on the incident management measures. Provide the incident management measures report.
On each occasion, complete the following steps to evaluate the incident response program:
- Assess the efficiency and effectiveness of incident response program activities, implementing changes as required. Provide the assessment, including changes to be implemented.
- Examine the effectiveness of the red teaming and incident response tests, training and exercises. Record this examination.
- Assess the effectiveness of communications between the incident response team and related internal and external organisations, identifying changes to be implemented, where appropriate. Document the assessment, including changes identified.
In this scenario, the problem is inability of the Telstra service based at the head office in Telstra to function as required. This has led to purchase of a 4G network to help in solving the challenges. The following is the incident management policy that can be adopted by the company
Incident Management Policy
This refers to the policy through which the unforeseeable contingencies are predicted and prepared for, so as to mitigate their adverse effects when they happen (Giadom & Edem, 2014). The Telstra service as well as the network put in place, is aimed to service all regular operations as well as help the responders when organizing for management of disaster or emergency by function. All the possible incidences should be predicted and ample preparation measures and tools be put in place. Once an incident happens, the disaster management department as well as the heads of department should be informed in less than three seconds. A response to the incident should not take more than thirty minutes, unless it is beyond internal solution.
Services to be provided
The following are the services that should be provided by the incident management team:
- Assess their ability to fix the problem caused by network hiccup.
- Fix the network as soon as possible if it is within their ability to fix it.
- Escalate it as fast as possible to the management for a quick action if they cannot fix it.
- Save properties and people who are at risks of the network loss
- Put measures in place to reduce the possibility of having a challenge of network hiccup in the near future.
Incident Response Plan
In the event a network hiccup happens, the following will be done in order to ensure that that there is timely response:
- Assessment of the extent of network hiccup within twenty minutes
- Fix the network hiccup and reconnect the affected departments within thirty minutes.
- Check if the log-ins as well as critical documents have been interfered with.
- Change the site for the document storage as well as the login. This is meant to ensure utmost security.
Handling and Reporting Procedure
Upon occurrence of a network hiccup, an emergency call should be given to the network management team within five seconds. Once the team has been notified, a maximum of five minutes should be taken to give feedback on action in the pipeline. Restoration of a manageable network hiccup should take thirty minutes. Otherwise it should be escalated.
The team should locate the main cause of network hiccup as well as the minor causes. A cause which has affected more than 55% of the operations should be escalated to network service providers. If the team realizes that the log-ins have been tampered with, then the log-ins times, activities as well as the credentials of the person who logged in should be collected as evidence.
The staff will be trained on the signals for network hiccup, fixing of very minor problems and reporting procedures. This will be done at the orientation stage then at an interval of a quarter.
Upon establishment of the cause of the network hiccup, an internal solution should be provided within thirty minutes. If the external service providers are contacted, then the internal team should cooperate with them.
In this scenario, the accountant for the company deleted all the files of a client by mistake. However, the data has been recovered, apart from the incident response which has been put in place. The following is the incident management policy that can be adopted by the company.
Incident Management Policy
According to Skipsey et al. (2015), incident of files deletion is very common, as it happens either intentionally or unintentionally. It is, therefore, prudent that a back-up storage be put in place. The back-up should be both within the network and without the network system (Söderholm at al., 2019). Cloud and drive among others are examples of places in which data can be backed-up. In the event this incident happens, then a report should be given within thirty minutes to the incident management team to pave way for data restoration.
Services to be Provided
The following services should be provided by the incident management team:
- Establish the circumstances under which the deletion of the file took place. This will help in ascertaining whether it was accidental or intentional.
- Establish whether there is a back-up for the data of the file which has been deleted.
- If the data is available in back-ups, then it should be restored within a period of thirty minutes.
- If the data is not available in the back-ups, then the management should be informed immediately for appropriate action to be taken.
Incident Response Plan
In the event a file is deleted, the following will be done in order to ensure that that there is timely response:
- The accountant or any person responsible should inform the incident response team within five minutes.
- If the file is available in the back-ups, then all the data should be restored within fifteen minutes.
- An assessment should be done on whether the person who deleted the file interfered with the data in custody.
- An adjustment should be done, to correct the data which has been interfered with.
Handling and Reporting Procedure
File deletion leads to an absolute data loss if the data has not been backed-up. If this incident happens, then the data emergency response team should be notified within five minutes. Response on the action in pipeline should be given in ten minutes. Full restoration should take place in thirty minutes, otherwise escalation should take place.
The incident management team should establish the intention of file. An investigation should be done to establish the cause of deletion. Activities of the deletion should be scanned to collect enough evidence for further action if necessary.
All staff members, especially accountants should be trained on how to manage files and restore deletion which are in bin restoration. A training will also be done for the staff members on how to back-up data alone without necessarily depending on the overall one. Training will be done both during orientation stage and during launch of new programs.
Upon notification of the responsible people over file deletion, response should be given in ten minutes. Backed up files should be restored in fifteen minutes or the management should decide on an appropriate action to take. The responsible person should cooperate with either the management or the incident management team, depending on the nature of the file.
Giadom, V. L., & Edem, W. E. (2014). Context management strategies in wireless network. Retrieved from http://165.193.178.
Skipsey, S. C., Todev, P., Britton, D., Crooks, D., & Roy, G. (2015). Extending DIRAC File Management with Erasure-Coding for efficient storage.
Söderholm, P., Hellsmark, H., Frishammar, J., Hansson, J., Mossberg, J., & Sandström, A. (2019). Technological development for sustainability: The role of network management in the innovation policy mix. Technological Forecasting and Social Change, 138, 309-323.