Info Security & Risk Mgmt

C AR VE ND S AL E S INCC arVen d S ales
C arVen d
Finance
Lenders, Banks, Finance
Companies, Credit Rating
Agencies
Online Customers
CarVend Delivery
Trucking Companies for
shipping, small car
dealerships, Car Vending
machines
Data Centers
Rack
Servers
Web
Servers
In addition to online customers,
the vendors, creditors, and
financial institutions will be
accessing the network
Rack
Servers
Data
Servers
Application
Servers
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
DISASTER RECOVERY PLAN
Information Technology Statement of Intent
This document delineates Health Network, Inc. (Health Network) policies and procedures for
technology disaster recovery, as well as our process-level plans for recovering critical technology
platforms and the telecommunications infrastructure. This document summarizes our
recommended procedures. In the event of an actual emergency situation, modifications to this
document may be made to ensure physical safety of our people, our systems, and our data.
Our mission is to ensure information system uptime, data integrity and availability, and
business continuity.
Policy Statement
Corporate management has approved the following policy statement:






The company shall develop a comprehensive IT disaster recovery plan.
A formal risk assessment shall be undertaken to determine the requirements for the disaster
recovery plan.
The disaster recovery plan should cover all essential and critical infrastructure elements,
systems and networks, in accordance with key business activities.
The disaster recovery plan should be periodically tested in a simulated environment to ensure
that it can be implemented in emergency situations and that the management and staff
understand how it is to be executed.
All staff must be made aware of the disaster recovery plan and their own respective roles.
The disaster recovery plan is to be kept up to date to take into account changing
circumstances.
Objectives
The principal objective of the disaster recovery program is to develop, test and document a wellstructured and easily understood plan which will help the company recover as quickly and
effectively as possible from an unforeseen disaster or emergency which interrupts information
systems and business operations. Additional objectives include the following:
•
•
•
•
•
The need to ensure that all employees fully understand their duties in implementing such a
plan
The need to ensure that operational policies are adhered to within all planned activities
The need to ensure that proposed contingency arrangements are cost-effective
The need to consider implications on other company sites
Disaster recovery capabilities as applicable to key customers, vendors and others
Key Personnel Contact Info
Name, Title
Contact Option
Contact Number
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
2
Notification Calling Tree
Person
Identifying
Incident
3
External Contacts
Name, Title
Contact Option
Contact Number
Landlord / Property Manager
Account Number None
Work
Mobile
Home
Email Address
Power Company
Account Number
Telecom Carrier 1
Account Number
Telecom Carrier 2
Account Number
Hardware Supplier 1
Account Number
Server Supplier 1
Account Number.
Workstation Supplier 1
Account Number
Office Supplies 1
Account Number C3095783
Work
Mobile
Home
Email Address
Work
Mobile
Fax
Home
Email Address
Work
Mobile
Home
Email Address
Work
Mobile
Emergency Reporting
Email Address
Work
Mobile
Fax
Email Address
Work
Mobile
Home
Email Address
Work
Mobile
Home
Email Address
Insurance – Name
4
Name, Title
Account Number
Site Security –
Account Number
Off-Site Storage 1
Account Number
Off-Site Storage 2
Account Number
HVAC –
Account Number
Power Generator –
Account Number
Other –
Account Number
Contact Option
Contact Number
Work
Mobile
Home
Email Address
Work
Mobile
Home
Email Address
Work
Mobile
Home
Email Address
User ID
Password
Home
Email Address
Work
Mobile
Home
Email Address
Work
Mobile
Home
Email Address
Work
Mobile
Home
Email Address
5
External Contacts Calling Tree
6
1
Plan Overview
1.1
Plan Updating
It is necessary for the DRP updating process to be properly structured and controlled. Whenever
changes are made to the plan they are to be fully tested and appropriate amendments should be
made to the training materials. This will involve the use of formalized change control procedures
under the control of the IT Director.
1.2
Plan Documentation Storage
Copies of this Plan, CD, and hard copies will be stored in secure locations to be defined by the
company. Each member of senior management will be issued a CD and hard copy of this plan to
be filed at home. Each member of the Disaster Recovery Team and the Business Recovery
Team will be issued a CD and hard copy of this plan. A master protected copy will be stored on
specific resources established for this purpose.
1.3
Backup Strategy
Key business processes and the agreed backup strategy for each are listed below. The strategy
chosen is for a fully mirrored recovery site at the company’s alternate sites. This strategy entails
the maintenance of a fully mirrored duplicate site which will enable instantaneous switching
between the live site (headquarters) and the backup site.
KEY BUSINESS PROCESS
IT Operations
Tech Support – Hardware
Tech Support – Software
Facilities Management
Email
Purchasing
Disaster Recovery
Finance
Contracts Admin
Warehouse & Inventory
Product Sales
Maintenance Sales
Human Resources
Testing Fully Mirrored Recovery site Workshop Fully Mirrored Recovery site Call Center
Web Site
1.4
BACKUP STRATEGY
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Off-site data storage facility
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Fully mirrored recovery site
Risk Management
There are many potential disruptive threats which can occur at any time and affect the normal
business process. We have considered a wide range of potential threats and the results of our
deliberations are included in this section. Each potential environmental disaster or emergency
situation has been examined. The focus here is on the level of business disruption which could
arise from each type of disaster.
7
Potential disasters have been assessed as follows:
Potential Disaster
Probability Rating
Impact Rating
Probability: 1=Very High, 5=Very Low
Brief Description Of Potential
Consequences & Remedial
Actions
Impact: 1=Total destruction, 5=Minor annoyance
2
Emergency Response
2.1
Alert, escalation and plan invocation
2.1.1 Plan Triggering Events
Key trigger issues at headquarters that would lead to activation of the DRP are:
• Total loss of all communications
• Total loss of power
• Flooding of the premises
• Loss of the building
2.1.2 Assembly Points
Where the premises need to be evacuated, the DRP invocation plan identifies two evacuation
assembly points:
• Primary – Far end of main parking lot;
• Alternate – Parking lot of company across the street
2.1.3 Activation of Emergency Response Team
When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will
then decide the extent to which the DRP must be invoked. All employees must be issued a
Quick Reference card containing ERT contact details to be used in the event of a disaster.
Responsibilities of the ERT are to:
•
•
•
•
•
Respond immediately to a potential disaster and call emergency services;
Assess the extent of the disaster and its impact on the business, data center, etc.;
Decide which elements of the DR Plan should be activated;
Establish and manage disaster recovery team to maintain vital services and return to normal
operation;
Ensure employees are notified and allocate responsibilities and activities as required.
2.2
Disaster Recovery Team
The team will be contacted and assembled by the ERT. The team’s responsibilities include:
• Establish facilities for an emergency level of service within 2.0 business hours;
• Restore key services within 4.0 business hours of the incident;
• Recover to business as usual within 8.0 to 24.0 hours after the incident;
8
•
•
Coordinate activities with disaster recovery team, first responders, etc.
Report to the emergency response team.
2.3
Emergency Alert, Escalation and DRP Activation
This policy and procedure has been established to ensure that in the event of a disaster or crisis,
personnel will have a clear understanding of who should be contacted. Procedures have been
addressed to ensure that communications can be quickly established while activating disaster
recovery.
The DR plan will rely principally on key members of management and staff who will provide the
technical and management skills necessary to achieve a smooth technology and business
recovery. Suppliers of critical goods and services will continue to support recovery of business
operations as the company returns to normal operating mode.
2.3.1 Emergency Alert
The person discovering the incident calls a member of the Emergency Response Team in the
order listed:
Emergency Response Team
•
•
•
If not available try:
•
•
The Emergency Response Team (ERT) is responsible for activating the DRP for disasters
identified in this plan, as well as in the event of any other occurrence that affects the company’s
capability to perform normally.
One of the tasks during the early stages of the emergency is to notify the Disaster Recovery
Team (DRT) that an emergency has occurred. The notification will request DRT members to
assemble at the site of the problem and will involve sufficient information to have this request
effectively communicated. The Business Recovery Team (BRT) will consist of senior
representatives from the main business departments. The BRT Leader will be a senior member of
the company’s management team, and will be responsible for taking overall charge of the
process and ensuring that the company returns to normal working operations as early as
possible.
2.3.2 DR Procedures for Management
Members of the management team will keep a hard copy of the names and contact numbers of
each employee in their departments. In addition, management team members will have a hard
copy of the company’s disaster recovery and business continuity plans on file in their homes in
the event that the headquarters building is inaccessible, unusable, or destroyed.
2.3.3 Contact with Employees
Managers will serve as the focal points for their departments, while designated employees will
call other employees to discuss the crisis/disaster and the company’s immediate plans.
Employees who cannot reach staff on their call list are advised to call the staff member’s
emergency contact to relay information on the disaster.
9
2.3.4 Backup Staff
If a manager or staff member designated to contact other staff members is unavailable or
incapacitated, the designated backup staff member will perform notification duties.
2.3.5 Recorded Messages / Updates
For the latest information on the disaster and the organization’s response, staff members can call
a toll-free hotline listed in the DRP wallet card. Included in messages will be data on the nature
of the disaster, assembly sites, and updates on work resumption.
2.3.7 Alternate Recovery Facilities / Hot Site
If necessary, the hot site at SunGard will be activated and notification will be given via recorded
messages or through communications with managers. Hot site staffing will consist of members of
the disaster recovery team only for the first 24 hours, with other staff members joining at the hot
site as necessary.
2.3.8 Personnel and Family Notification
If the incident has resulted in a situation which would cause concern to an employee’s immediate
family such as hospitalization of injured persons, it will be necessary to notify their immediate
family members quickly.
3
Media
3.1
Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been
previously approved and issued for dealing with post-disaster communications.
3.2
Media Strategies
1. Avoiding adverse publicity
2. Take advantage of opportunities for useful publicity
3. Have answers to the following basic questions:
 What happened?
 How did it happen?
 What are you going to do about it?
3.3
•
•
•
3.4
Media Team
Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should
refer callers or in-person media representatives to the media team.
4
Insurance
As part of the company’s disaster recovery and business continuity strategies a number of
insurance policies have been put in place. These include errors and omissions, directors &
officers liability, general liability, and business interruption insurance.
10
If insurance-related assistance is required following an emergency out of normal business hours,
please contact:
Policy Name
Coverage
Type
Coverage
Period
5
Financial and Legal Issues
5.1
Financial Assessment
Amount Of
Coverage
Person
Responsible
For Coverage
Next Renewal
Date
The emergency response team shall prepare an initial assessment of the impact of the incident
on the financial affairs of the company. The assessment should include:
 Loss of financial documents
 Loss of revenue
 Theft of check books, credit cards, etc.
 Loss of cash
5.2
Financial Requirements
The immediate financial needs of the company must be addressed. These can include:
 Cash flow position
 Temporary borrowing capability
 Upcoming payments for taxes, payroll taxes, Social Security, etc.
 Availability of company credit cards to pay for supplies and services required post-disaster
5.3
Legal Actions
The company legal department and ERT will jointly review the aftermath of the incident and
decide whether there may be legal actions resulting from the event; in particular, the possibility of
claims by or against the company for regulatory violations, etc.
6
DRP Exercising
Disaster recovery plan exercises are an essential part of the plan development process. In a
DRP exercise no one passes or fails; everyone who participates learns from exercises – what
needs to be improved, and how the improvements can be implemented. Plan exercising ensures
that emergency teams are familiar with their assignments and, more importantly, are confident in
their capabilities.
Successful DR plans launch into action smoothly and effectively when they are needed. This will
only happen if everyone with a role to play in the plan has rehearsed the role one or more times.
The plan should also be validated by simulating the circumstances within which it has to work and
seeing what happens.
11
Appendix A – Technology Disaster Recovery Plan Templates
Disaster Recovery Plan for
SYSTEM
OVERVIEW
PRODUCTION SERVER
Location: Enter location
Server Model: Operating System: CPUs: Memory: Total Disk:
System Handle: System Serial #: DNS Entry: IP Address:
Other:
HOT SITE SERVER
APPLICATIONS
(Use bold for Hot Site)
ASSOCIATED SERVERS
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
BACKUP STRATEGY FOR
SYSTEM ONE
Daily / Monthly / Quarterly
Choose which strategy on the left you would use and provide
details on why.
SYSTEM ONE
DISASTER RECOVERY
PROCEDURE
Provide details
Scenario 1
Total Loss of Data
Provide details
Scenario 2
Total Loss of HW
12
Database/File Systems
File System as of
Filesystem
Mounted on
kbytes
Used
Avail
Minimal file systems to be
backed-up and restored:
%used
Other critical files to
modify
Necessary directories to
create
Critical files to restore
Secondary files to restore
Other files to restore
13
Disaster Recovery Plan for Local Area Network (LAN)
SYSTEM
OVERVIEW
SERVER
HOT SITE SERVER
APPLICATIONS
(Use bold for Hot Site)
ASSOCIATED SERVERS
Location:
Server Model: Operating System: CPUs:
Memory: Total Disk: System Handle: System Serial #:
DNS Entry: IP Address:
Other:
Provide details
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily
Monthly
Quarterly
Provide details
Provide details
Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Provide details
Scenario 1
Total Loss of Data
Provide details
Scenario 2
Total Loss of HW
14
ADDENDUM
CONTACTS
File Systems
File System as of
Filesystem
Mounted on
Minimal file systems
to be created and
restored from
backup:
kbytes
Used
Avail
%used
Other critical files to
modify
Necessary directories
to create
Critical files to restore
Secondary files to
restore
Other files to restore
15
Disaster Recovery Plan for Wide Area Network (WAN)
SYSTEM
OVERVIEW
EQUIPMENT
HOT SITE EQUIPMENT
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
Location:
Device Type: Model No.: Technical Specifications:
Network Interfaces: Power Requirements;
System Serial #: DNS Entry:
IP Address:
Other:
Provide details
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
Network Services
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily
Monthly
Quarterly
Provide details
Provide details
Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Provide details
Scenario 1
Total Loss of Network
Provide details
Scenario 2
Total Loss of HW
16
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
17
Disaster Recovery Plan for Remote Connectivity
SYSTEM
OVERVIEW
EQUIPMENT
HOT SITE EQUIPMENT
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
Location:
Device Type: Model No.:
Technical Specifications:
Network Interfaces:
Power Requirements; System Serial #:
DNS Entry:
IP Address:
Other:
Provide details
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
Network Services
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily
Monthly
Quarterly
Provide details
Provide details
Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Provide details
Scenario 1
Total Loss of Network
Provide details
Scenario 2
Total Loss of HW
18
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
19
Disaster Recovery Plan for Voice Communications
SYSTEM
OVERVIEW
EQUIPMENT
HOT SITE EQUIPMENT
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
Location:
Device Type: Model No.:
Technical Specifications: Network Interfaces:
Power Requirements; System Serial #:
DNS Entry:
IP Address:
Other:
Provide details
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
Network Services
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily
Monthly
Quarterly
Provide details
Provide details
Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Provide details
Scenario 1
Total Loss of Switch
Provide details
Scenario 2
Total Loss of Network
20
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
21
Appendix B – Suggested Forms
Damage Assessment Form
Key Business
Process Affected
Description Of Problem
Extent Of Damage
_____________
Management of DR Activities Form
•
•
•
During the disaster recovery process all activities will be determined using a standard
structure;
Where practical, this plan will need to be updated on a regular basis throughout the disaster
recovery period;
All actions that occur during this phase will need to be recorded.
Activity Name:
Reference Number:
Brief Description:
Commencement
Date/Time
Completion
Date/Time
Resources Involved
In Charge
__________________
22
Disaster Recovery Event Recording Form
•
•
•
•
All key events that occur during the disaster recovery phase must be recorded.
An event log shall be maintained by the disaster recovery team leader.
This event log should be started at the commencement of the emergency and a copy of the
log passed on to the business recovery team once the initial dangers have been controlled.
The following event log should be completed by the disaster recovery team leader to record
all key events during disaster recovery, until such time as responsibility is handed over to the
business recovery team.
Description of Disaster:
Commencement Date:
Date/Time DR Team Mobilized:
Activities Undertaken by DR
Team
Date and
Time
Outcome
Follow-On Action
Required
Disaster Recovery Team’s Work Completed:
Event Log Passed to Business Recovery Team:
_________________
23
Disaster Recovery Activity Report Form
•
•
•
•
•
•
On completion of the initial disaster recovery response the DRT leader should prepare a
report on the activities undertaken.
The report should contain information on the emergency, who was notified and when, action
taken by members of the DRT together with outcomes arising from those actions.
The report will also contain an assessment of the impact to normal business operations.
The report should be given to business recovery team leader, with a copy to senior
management, as appropriate.
A disaster recovery report will be prepared by the DRT leader on completion of the initial
disaster recovery response.
In addition to the business recovery team leader, the report will be distributed to senior
management
The report will include:
• A description of the emergency or incident
• Those people notified of the emergency (including dates)
• Action taken by members of the DRT
• Outcomes arising from actions taken
• An assessment of the impact to normal business operations
• Assessment of the effectiveness of the BCP and lessons learned
• Lessons learned
__________
Mobilizing the Disaster Recovery Team Form
•
•
Following an emergency requiring recovery of technology infrastructure assets, the disaster
recovery team should be notified of the situation and placed on standby.
The format shown below can be used for recording the activation of the DR team once the
work of the damage assessment and emergency response teams has been completed.
Description of Emergency:
Date Occurred:
Date Work of Disaster Recovery Team Completed:
Name of
Team Member
Contact
Details
Contacted On
(Time / Date)
By Whom
Response
Start Date
Required
Relevant Comments (e.g., Specific Instructions Issued)
___________
24
Mobilizing the Business Recovery Team Form

Following an emergency requiring activation of the disaster recovery team, the business
recovery team should be notified of the situation and placed on standby.
The format shown below will be used for recording the activation of the business recovery
team once the work of the disaster recovery team has been completed.

Description of Emergency:
Date Occurred:
Date Work of Business Recovery Team Completed:
Name of
Team Member
Contact
Details
Contacted On
(Time / Date)
By Whom
Response
Start Date
Required
Relevant Comments (e.g., Specific Instructions Issued)
____________
Monitoring Business Recovery Task Progress Form
•
The progress of technology and business recovery tasks must be closely monitored during
this period of time.
Since difficulties experienced by one group could significantly affect other dependent tasks it
is important to ensure that each task is adequately resourced and that the efforts required to
restore normal business operations have not been underestimated.
•
Note: A priority sequence must be identified although, where possible, activities will be carried out
simultaneously.
Recovery Tasks
(Order of Priority)
Person(s)
Responsible
Completion Date
Estimated
Actual
Milestones
Identified
Other Relevant
Information
1.
2.
3.
4.
5.
6.
7.
___________
25
Preparing the Business Recovery Report Form




On completion of business recovery activities the BRT leader should prepare a report on the
activities undertaken and completed.
The report should contain information on the disruptive event, who was notified and when,
action taken by members of the BRT together with outcomes arising from those actions.
The report will also contain an assessment of the impact to normal business operations.
The report should be distributed to senior management, as appropriate.
The contents of the report shall include:
 A description of the incident
 People notified of the emergency (including dates)
 Action taken by the business recovery team
 Outcomes arising from actions taken
 An assessment of the impact to normal business operations
 Problems identified
 Suggestions for enhancing the disaster recovery and/or business continuity plan
 Lessons learned
Communications Form




It is very important during the disaster recovery and business recovery activities that all
affected persons and organizations are kept properly informed.
The information given to all parties must be accurate and timely.
In particular, any estimate of the timing to return to normal working operations should be
announced with care.
It is also very important that only authorized personnel deal with media queries.
Groups of Persons or
Organizations Affected
by Disruption
Persons Selected To Coordinate Communications
to Affected Persons / Organizations
Name
Position
Contact Details
Customers
Management & Staff
Suppliers
Media
Stakeholders
Others
____________
26
Returning Recovered Business Operations to Business Unit
Leadership




Once normal business operations have been restored it will be necessary to return the
responsibility for specific operations to the appropriate business unit leader.
This process should be formalized in order to ensure that all parties understand the change in
overall responsibility, and the transition to business-as-usual.
It is likely that during the recovery process, overall responsibility may have been assigned to
the business recovery process lead.
It is assumed that business unit management will be fully involved throughout the recovery,
but in order for the recovery process to be fully effective, overall responsibility during the
recovery period should probably be with a business recovery process team.
____________
Business Process/Function Recovery Completion Form
The following transition form should be completed and signed by the business recovery team
leader and the responsible business unit leader, for each process recovered.
A separate form should be used for each recovered business process.
Name Of Business Process
Completion Date of Work Provided by Business Recovery Team
Date of Transition Back to Business Unit Management
(If different than completion date)
I confirm that the work of the business recovery team has been completed in accordance with
the disaster recovery plan for the above process, and that normal business operations have
been effectively restored.
Business Recovery Team Leader Name: ________________________________________
Signature: ________________________________________________________________
Date: __________________________
(Any relevant comments by the BRT leader in connection with the return of this business
process should be made here.)
I confirm that above business process is now acceptable for normal working conditions.
Name: ___________________________________________________________________
Title: ____________________________________________________________________
Signature: ________________________________________________________________
Date: __________________________
27
ISOL 533 – InfoSecurity & Risk Management
University of The Cumberlands
Computer Incident Response Team Plan
Purpose
This plan was developed for Health Network, Inc. (Health Network) and it is classified as the confidential
property of that entity. Due to the sensitive nature of the information contained herein, this plan is
available only to those persons who have been designated as members of one or more incident
management teams, or who otherwise play a direct role in the incident response and recovery processes .
Policy
This document discusses the steps taken by the Computer Incident Response Team during an incident.
1) The person who discovers the incident will call the IT Incident Response department.
2) The IT Incident Response department will create a ticket in the Incident Response database and
document:
a) The name of the caller.
b) Time of the call.
c) Contact information about the caller.
d) The nature of the incident.
e) What equipment or persons were involved?
f) Location of equipment or persons involved.
g) How the incident was detected.
h) When the event was first noticed that supported the idea that the incident occurred.
Incidents will be classified as either Physical or Electronic. The security department will
handle all Physical incidents. The IT department will handle all Electronic incidents.
3) If the incident is validated, the IT Incident Response department will contact the following offices,
as appropriate, with details from the Incident Response database, to ensure they are aware of the
incident:
a) Incident Response manager (via both email and phone messages)
b) The security department (via both email and phone messages)
c) LAN/WAN and Intrusion detection monitoring personnel (via phone)
d) Affected system administrator (via phone)
e) Affected database administrator (via phone)
4) The Incident Response department will research the Incident knowledge-base and add the
following to the Incident Response ticket:
a) Is the equipment affected classified as business critical?
b) The Risk Factor/Impact and RTO of the systems affected?
c) Name of system being targeted, along with operating system, IP address, and location.
d) IP address and any information about the origin of the attack.
ISOL 533 – InfoSecurity & Risk Management
University of The Cumberlands
Computer Incident Response Team Plan
5) The Incident Response manager will determine which response teams will be mobilized and
contact the IT Incident Response department to have them contact the team members.
6) The contacted Response Team members will meet or discuss the situation over the telephone
and determine a response strategy.
a) Is the incident real or perceived?
b) Is the incident still in progress?
c) What data or property is threatened and how critical is it?
d) What is the impact on the business should the attack succeed? Critical, Major, Minor?
e) What system or systems are targeted, where are they located physically and on the
network?
f) Is the incident inside the trusted network?
g) Is the response urgent?
h) Can the incident be quickly contained?
i) Will the response alert the attacker and if so, how will the response proceed?
j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
7) The Response Team lead will update the Incident Response ticket. The incident will be
categorized into the highest applicable level of one of the following categories:
a) Category one – A threat to public safety or life.
b) Category two – A threat to sensitive data
c) Category three – A threat to computer systems
d) Category four – A disruption of services
8) Response Team members will follow one of the established Incident Response procedures (if a
procedure does not exist, the Response Team will develop and document the new procedure).
The following procedures are currently active.
a) Worm response procedure
b) Virus response procedure
c) System failure procedure
d) Active intrusion response procedure – Is critical data at risk?
e) Inactive Intrusion response procedure
f) System abuse procedure
g) Property theft response procedure
h) Website denial of service response procedure
i) Database or file denial of service response procedure
j) Spyware response procedure.
If a new procedure is developed, it will be forwarded to the Incident Response manager once the
incident is resolved so the manager may add it to this document.
ISOL 533 – InfoSecurity & Risk Management
University of The Cumberlands
Computer Incident Response Team Plan
9) Response Team members will use forensic techniques, including reviewing system logs, looking
for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident
victim to determine how the incident was caused. Only authorized personnel should be
performing interviews or examining evidence, and the authorized personnel may vary by situation
and the organization.
10) Response Team members will recommend changes to the Response Team manager to prevent
the occurrence from happening again or infecting other systems.
11) Response Team members will restore the affected system(s) to the uninfected state. They may
do any or more of the following:
a) Re-install the affected system(s) from scratch and restore data from backups if
necessary. Preserve evidence before doing this.
b) Make users change passwords if passwords may have been sniffed.
c) Be sure the system has been hardened by turning off or uninstalling unused services.
d) Be sure the system is fully patched.
e) Be sure real time virus protection and intrusion detection is running.
f) Be sure the system is logging the correct events and to the proper level.
12) Response Team members will update the ticket with the following:
a) How the incident was discovered.
b) The category of the incident.
c) How the incident occurred, whether through email, firewall, etc.
d) Where the attack came from, such as IP addresses and other related information about
the attacker.
e) What the response plan was.
f) What was done in response?
g) Whether the response was effective.
13) Response Team members will:
a) Make copies of logs, email, and other communication
b) Update the ticket with a list of all witnesses
c) Will keep evidence as long as necessary to complete prosecution and beyond in case of
an appeal.
14) The Response Team manager will notify the police and other appropriate agencies if prosecution
of the intruder is possible.
15) The Response Team manager will assess the damage to the organization and estimate both the
damage cost and the cost of the containment efforts.
16) The Response Team manager will review the response, update policies, and take preventative
steps so the intrusion can’t happen again.
a) Consider whether an additional policy could have prevented the intrusion.
ISOL 533 – InfoSecurity & Risk Management
University of The Cumberlands
Computer Incident Response Team Plan
b) Consider whether a procedure or policy was not followed which allowed the intrusion, and
then consider what could be changed to ensure that the procedure or policy is followed in
the future.
c) Was the incident response appropriate? How could it be improved?
d) Was every appropriate party informed in a timely manner?
e) Were the incident-response procedures detailed and did they cover the entire situation?
How can they be improved?
f) Have changes been made to prevent a re-infection? Have all systems been patched,
systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
g) Have changes been made to prevent a new and similar infection?
h) Should any security policies be updated?
i) What lessons have been learned from this experience?
ISOL 533 – InfoSecurity & Risk Management
University of The Cumberlands
Computer Incident Response Team Plan
Appendix A – Incident Response Worksheet
Complete this worksheet for any reported incidents
Preparation:
What tools, applications, laptops, and communication devices were needed to address the Computer
Incident Response for this specific breach?
Identification: When an incident is reported, it must be identified, classified, and documented. During
this step, the following information is needed:

Identify the nature of the incident
o What Business Process was impacted
o What threat was identified
o What weakness was identified
o What risk was identified
o What was the Risk Factor/Impact of the incident
o What was the RTO, MTD and RPO assigned to the business process
o What hardware, software, database and other resource were impacted
Containment: The immediate objective is to limit the scope and magnitude of the computer/securityrelated incident as quickly as possible, rather than allow the incident to continue to gain evidence for
identifying and/or prosecuting the perpetrator.

What needed to be done to limit the scope of the incident
Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.

What was done to mitigate the risk of the incident
Recovery: Recovery is specific to bringing back into production those IT systems, applications, and
assets that were affected by the security-related incident.

What was done to recover the IT systems
o What procedures were used and were they covered in the Disaster Recovery Plan
o Was the Business Continuity Plan executed in response to this incident
o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.