ITC524 Develop, Implement, and Evaluate an Incident Response Plan

Case study

King Edward VII College was established in 2010. The College is based in Melbourne CBD and offers a range of courses in management, marketing, human resources and international business. It currently has around 500 students enrolled across all of its courses.

The College is very popular due to its competitive pricing structure, innovative teaching methods and state of the art facilities.

Due to its success, the College plans to establish two additional campuses, one in Brisbane and one in Sydney within the next 6 months.

The College currently employs 24 staff members. That includes the CEO, a Marketing Manager and a Marketing Assistant, Human Resources Manager, Finance Manager, Administration Officer, IT Manager, IT Support Officer, Receptionist, Academic Manager, Student Services Officer and approximately 14 trainers.

Due to the fact that the company is growing and increasing cyber security risk, it has been determined that a structured incident response plan and policy is required. To date, there has been no plan in place.

The requirements for the plan and policy were discussed in a recent management meeting with key requirement being advised as:

Alignment with industry best practice standards

Clearly structured to align with best practice i.e. include preparation for incidents, identification of incidents, containment of the incident, eradication to eliminate the root cause, recovery of systems, lessons learned.

Document the incident response team and the services they will provide the incident response team will be the IT team.

As the IT Manager it is your responsibility to develop and implement an incident plan. The IT Support Officer will act as a team member to support you with incident responses.

Information Security Policy and Procedures

Purpose

The purpose of this document is to outline the security procedures that are enforced within the company. The procedures stated here are applicable to all employees and contractors.

User Identification and Passwords

Each user is allocated an individual username and password. Logon passwords must not be written down or disclosed to another individual. Users are held responsible for all actions performed using this user name.

Staff must notify the IT Help Desk when moving to a new position or location within the company. This ensures that the necessary setups to provide fast access to the most appropriate mail and file servers can be put in place.

Management must notify IT of staff changes.

All user accounts have the following password settings:

Minimum password length of 8 characters;

A combination of alpha, numeric and punctuation should be used;

Passwords must not be easily guessed (i.e. names, months of the year, days of the week, usernames, etc. must not be used as passwords).

Access to company Information

All information held on the networks including email, file systems and databases are the property of the company and staff should have no expectation of privacy for this data.

Although it is not the general practice of our company to monitor stored files, email messages and Internet access for their general content, we reserve the right to do so for the protection of staff, for system performance, maintenance, auditing, security or investigative functions (including evidence of unlawful activity or breaches to policy) and to protect itself from potential corporate liability.

Requests to access the computer account of a member of staff who is absent from the office must be directed to the IT team.

Staff must not issue any information to third parties unless they have authorisation to do so.

Users are only permitted to access electronic information and data that they require to perform their duties.

If confidential information is lost, either through loss of a notebook computer, backup media or other security breach, the IT team must be notified immediately.

All computers must be switched off at the end of the day.

Security

Computers must not be left unattended for long periods while signed on e.g. during breaks. Users must either logoff or activate a password-controlled screensaver if they are leaving their PC. The screensaver should be set to activate by default after 10 minutes of inactivity.

IT equipment must not be removed from our premises unless written approval has been received.

Software must not be copied, removed or transferred to any third party or non-organisational equipment such as home PCs without written authorisation from the IT team.

Only software that has been authorised by the IT team may be used on computers connected to t network.

Downloading of any executable files (.exe) or software from the Internet is forbidden without written authorization from the IT team.

Computers for disposal must have the hard disk 'wiped clean' before they are distributed outside the company.

Threat data

Threat data is monitored as follows:

Reviewing event logs on individual computers

Logging into the router to identify possible security attacks

Reviewing firewall data

Data is reviewed weekly and logged in an excel sheet i.e. logging specific events including a description, time, date and actions required.

A report of issues is provided to management each month at the management meeting.

Back ups

Back-ups are regularly completed by the IT team.

Users must always save data and files on the network as opposed to the local hard disk. This ensures that regular backups are taken and are available for recovery purposes. Users should be aware that data saved on the local hard disk is not backed up by the IT team.

User ID and passwords

All unused usernames must be deleted following an initial period when they are disabled. Managers must inform the IT team when staff leave to ensure that their usernames are promptly removed.

Staff transferring sections within the company must have their access privileges reviewed and altered based on their new responsibilities, following notification to the IT team.

Usernames must conform to the standard naming convention. The convention must be used consistently across all applications and platforms.

When the IT team are unsure of the identity of the user requesting a password change, then authorisation must be received from relevant manager before the request is completed.

The company hardware and software must have the vendor-supplied default passwords changed on installation. This applies to test as well as live environments.

Threat Management

Threats that are identified must be assessed within 24 hours and an action plan developed.

Third Party Access

Third Party Access can be defined as "the granting of access to IT resources or data to an individual who is not an employee.

Examples of third parties include:

Software vendor who is providing technical support

Contractor or consultant

Service provider

An individual providing outsourced services requiring access to applications or data.

Third Party Access can only be provided after the Third Party has signed a confidentiality agreement that must be included in their formal contract with us. Staff must never permit another individual to utilise their user name to access the network.

Third party access will only be permitted to facilities and data which are required to perform specific agreed tasks as identified.

Third party access will be audited randomly twice a year for security violations, improper use, and assessment of need.

Employee Screening

All employees will be screened via a criminal background check by a third party entity in addition to standard HR screening procedures (i.e., employment verification, credit reference, etc).

-53276524384000

Develop, Implement and Evaluate An Incident Response Plan

Student Declaration

To be filled out and submitted with assessment responses

I declare that this task is all my own work and I have not cheated or plagiarised the work or colluded with any other student(s).

I understand that if I am found to have plagiarised, cheated or colluded, action will be taken against me according to the process explained to me.

I have correctly referenced all resources and reference texts throughout these assessment tasks.

Student name Student ID number Student signature Date Assessor declaration

I hereby certify that this student has been assessed by me and that the assessment has been carried out according to the required assessment procedures.

Assessor name Assessor signature Date Assessment outcome S NS DNS Resubmission Y N

Feedback

Student result response

My performance in this assessment task has been discussed and explained to me.

I would like to appeal this assessment decision.

Student signature Date A copy of this page must be supplied to the office and kept in the students file with the evidence

Information for students

In this task, you are required to demonstrate your skills and knowledge by working through a number of activities and completing and submitting a project portfolio.

You will need access to:

a suitable place to complete activities that replicates an ICT environment including a presentation space and computer and internet access

Simulation Pack or if own business, access to information about the business, including security threats and current security policies (including risk management), as well as business specifications (including for security) and deliverables in relation to incidents

your learning resources and other information for reference

Project Portfolio template.

Ensure that you:

review the advice to students regarding responding to written tasks in the IT Works Student User Guide

comply with the due date for assessment which your assessor will provide

adhere with your RTOs submission guidelines

answer all questions completely and correctly

submit work which is original and, where necessary, properly referenced

submit a completed cover sheet with your work

avoid sharing your answers with other students.

Assessment information

Information about how you should complete this assessment can be found in Appendix A of the IT Works Student User Guide. Refer to the appendix for information on:

where this task should be completed

how your assessment should be submitted.

Note: You must complete and submit an assessment cover sheet with your work. A template is provided in Appendix B of the Student User Guide. However, if your RTO has provided you with an assessment cover sheet, please ensure that you use that.

Activities

Complete the following activities:

Carefully read the following:

This assessment task requires you to develop, implement and evaluate an incident response plan. This project can be based on the case study business in the ICTSAS524 simulation pack or you may like to base this on your own business, or a business you are currently working for or are familiar with. If you do choose to use your own business you will need to be able to access information about the business, including security threats and current security policies (including risk management), as well as business specifications (including for security) and deliverables in relation to incidents. You will also need to work with a team with expertise and knowledge in relation to managing ICT incidents. Speak to your assessor to get approval if you want to base this on your own business or one you work for.

You will be collecting evidence for this unit in a Project Portfolio. The steps you need to take are outlined below.

Planning

Make sure you are familiar with the business you are basing this assessment on and have read through the necessary background information and policies and procedures. For the case study business, this is all of the documents included in the ICTSAS524 Simulation Pack. If its your own business or a business where you are working or are familiar with, its important at this step that you have your business or case study approved by your assessor.

Complete Page 4 of your Project Portfolio for this unit.

Read through the requirements of Section 1, 2, 3 and 4 of your Project Portfolio.

Preparation

You are now to complete Section 1 of your Project Portfolio.

When you complete Section 1, you need to:

Identify and report on incident response requirements, including current arrangements.

Seek and respond to feedback on your preparation for developing an incident plan.

Complete Section 1 of your Portfolio. Submit your work to your assessor for feedback before you move to the next step.

Incident plan development

You are now to complete Section 2 of your Project Portfolio.

When you complete Section 2, you need to:

Develop an incident management policy and associated procedures.

Develop your incident response plan and associated activities.

Complete Section 2 of your Project Portfolio.

In the next step, you will present your work to your team at a meeting as a training exercise for them to understand incident plan requirements and responses. This will include a summary of your review from Section 1, as well as your incident response policy, procedures and plan. Use examples of security incidents to provide real-life scenarios.

Prepare an accompanying presentation in a format of your choice (e.g. PowerPoint) for the meeting that summarises each part of your project plan. Your presentation should be no more than 15 minutes in duration.

Team training

Meet with your team to present your work as outline above. If you are completing for the case study organisation, this will with a student group of approximately four or five, if you are completing this for your own business, this could also be with the student group or with your team at work.

During the training session, you will need to demonstrate your oral communication skills including:

Speaking clearly and succinctly to convey information

Asking and responding to questions to confirm requirements

Using active listening techniques to confirm understanding

Engaging the diverse members of your team in the discussion and encouraging feedback and discussion.

i This can either be attended in person by your assessor or online. If you are basing this assessment on a workplace project, your assessor can attend in person, online or you may like to video record the session for your assessor to watch later. Your assessor can provide you with more details at this step. Make sure you follow the instructions above and meet the timeframes allocated.

Incident response plan implementation

This part of the assessment requires you to respond to an security incident which will be conducted as a red-teaming activity i.e. a simulated scenario in a small team ( 2 to 3 students). If you are completing this in your RTO, your assessor will advise you of the incident to which you and your team must respond, as well as detailed instructions for completing the task. If it is for your own business and you can respond to a security incident at work or complete this activity as a simulated activity as above with other students from the RTO.

Remember that you will complete this activity as a team but your work in the Portfolio must be all of your own. The team work will involve discussing the issue and working out roles and responsibilities for resolving the issue.

Complete Section 3 of your Portfolio.

Incident response plan evaluation

The final part of the assessment requires you to evaluate activities associated with the incident plan. Review the information in your Simulation Pack to complete this activity or if you are completing this for your own business, base it on an evaluation of your incident response plan or you may complete the case study activity too.

Complete Section 4 of your Portfolio.

Submit your completed Project Portfolio

Make sure you have completed all sections of your Project Portfolio, answered all questions, provided enough detail as indicated and proofread for spelling and grammar as necessary.

Submit to your assessor for marking.

Students name:

Did the student: Completed successfully? Comments

Yes No Identify and report on the organisations incident response plan requirements and current arrangements? Identify and report on incident response team services required? Identify and report on the structure for the incident response plan required by the organisation? Determine and report on extent to which the existing incident response plan meets the organisations requirements? Submit review and seek and respond to feedback provided? Develop and document incident management policy? Create incident response plans to meet requirements and security policies and procedures? Develop incident handling and reporting procedures? Develop incident response exercises, red-teaming activities and document staffing and training requirements as part of the incident response plan? Develop procedure for collecting and protecting forensic evidence during incident response procedures as per the organisations requirements? Establish and document incident the response plan? Demonstrate effective oral communication skills including:

Speaking clearly and succinctly to convey information

Asking and responding to questions to confirm requirements

Using active listening techniques to confirm understanding

Engaging diverse members of the team in the discussion and encouraging feedback and discussion? Apply incident response actions to security incident as per the incident response plan? Assist in collecting, processing and preserving evidence of the incident as per requirements? Execute incident response plans, red-teaming activities and incident response exercises? Document security incident response and actions? Collect and then analyse and report on incident management measures as relevant to the incident response? Assess and report on the efficiency and effectiveness of incident response plans activities? Examine and report on the effectiveness of red teaming and incident response tests, training and exercises? Assess effectiveness of communication between incident response team and others? Determine and report on response improvement activities? Submit documentation to management (assessor) and obtain final task sign off? Task outcome: Satisfactory Not satisfactory

Assessor signature:

Assessor name:

Date:

Final Results Record

Student name:

Assessor name:

Date Final assessment results

Task Type Result

Satisfactory Unsatisfactory Did not submit

Assessment Task 1 Knowledge questions S U DNS

Assessment Task 2 Project Portfolio S U DNS

Overall unit results C NYC Feedback

My performance in this unit has been discussed and explained to me.

I would like to appeal this assessment decision.

Student signature:

Date:

I hereby certify that this student has been assessed by me and that the assessment has been carried out according to the required assessment procedures.

Assessor signature:

Date:

-53276524384000

Project Portfolio Task 2

Develop, Implement and Evaluate An Incident Response Plan

CONTENTS

TOC o "1-3" h z t "RTO Works Heading 1,1" Section 1: Incident response plan preparation PAGEREF _Toc71019548 h 5Section 2: Incident response plan development PAGEREF _Toc71019549 h 7Section 3: Incident response plan implementation PAGEREF _Toc71019550 h 9Section 4: Incident response plan evaluation PAGEREF _Toc71019551 h 11

Student name:

Assessor: Date: Business this assessment is based on:

Section 1: Incident response plan preparationThe business

Outline the business and the services it provides and the environment in which it operates. Incident response plan requirements

Based on your review at Activity Step 2.2, prepare to develop the incident response plan. Provide:

A description of the current arrangements in place for incident responses and the extent to which it meets requirements or not.

The organisations requirements in relation to an incident plan.

Who is currently involved in incident responses and the requirements for an incident response team and services to be provided.

Required structure for an incident plan. Feedback

Develop an email to send to management (your assessor) summarising your work above and asking for feedback.

Feedback

Document the feedback here and how it will inform your work in the next section.

Section 2: Incident response plan developmentIncident management policy

In order to guide the incident response for the organisation, you are to develop an incident management policy. This should also include procedures for incident handling and reporting, as well as procedures for collecting and protecting forensic evidence that arises during an incident response.

Write the name of your policy here and attach it to your Portfolio. HERE Write the name of your policy here and attach it to your Portfolio.

Incident response plan

Develop your incident response plan in a format of your choice. This should also include roles and responsibilities, the red-teaming activities that will occur and exercises/training activities, as well as incident management measures.

Write the name of your plan here and attach it to your Portfolio. HERE Write the name of your plan here and attach it to your Portfolio.

Presentation

Develop your presentation Your presentation must outline the incident response policy and plan you have developed and the rationale for developing this as per the work you completed in Section 1. Make sure you include examples of security incidents for which a response is required.

Write the name of your presentation here and attach it to your Portfolio. HERE Write the name of your presentation here and attach it to your Portfolio.

61859414351000 Attach: Incident response policy

Incident response plan

Presentation

Section 3: Incident response plan implementationComplete this section based on the incident set up by your assessor. Remember you will complete this activity as a team but your work here must be all your own. Remember that prior to addressing the incident itself, you will also complete a red teaming activity for a potential security incident.

Incident

Describe the security incident and attach the associated evidence e.g. screenshots. Incident response activities

Describe the incident response activities, including red-teaming activities, conducted in relation to the incident. Review

Assess the effectiveness of the response using the information collected above and against measures established in your policy and/or plan. 61859414351000 Attach: Screenshot of security incident

Section 4: Incident response plan evaluationComplete this section based on the red teaming security incident you responded to.

Incident response plans effectiveness

How effective do you believe your incident response plans based on the previous activity.

Ensure your answer addresses:

the effectiveness of the red teaming activities you conducted

the effectiveness of the training provided to your team in Activity 2.5 as evidenced through their ability to respond to the incident.

team communication throughout the incident response. Improvements

Based on the above, what you do consider could be done to improve incident response activities. Approval

Write an email to management (your assessor) to obtain final sign off of all the activities you have completed.