Widgets “R” US IR Plan
The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
Helpdesk
Intrusion detection monitoring personnel
A system administrator
A firewall administrator
A business partners
A manager
The security department or a security person.
Help Desk
(XXX-XXX)
Intrusion Detection
(XXX-XXX)
System Admin
(XXX-XXX)
Firewall Admin
(XXX-XXX)
Business Partner
(XXX-XXX)
Manager
(XXX-XXX)
Security Dept
(XXX-XXX)
If the person discovering the incident is a member of …show more content…
- determines if the Spyware was affected in the Incident
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.
Upon management approval, the changes will be implemented.
Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
Make users change passwords if passwords may have been sniffed.
Be sure the system has been hardened by turning off or uninstalling unused
The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
Helpdesk
Intrusion detection monitoring personnel
A system administrator
A firewall administrator
A business partners
A manager
The security department or a security person.
Help Desk
(XXX-XXX)
Intrusion Detection
(XXX-XXX)
System Admin
(XXX-XXX)
Firewall Admin
(XXX-XXX)
Business Partner
(XXX-XXX)
Manager
(XXX-XXX)
Security Dept
(XXX-XXX)
If the person discovering the incident is a member of …show more content…
- determines if the Spyware was affected in the Incident
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.
Upon management approval, the changes will be implemented.
Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
Make users change passwords if passwords may have been sniffed.
Be sure the system has been hardened by turning off or uninstalling unused