Please enable JavaScript.
Coggle requires JavaScript to display documents.
Section 5: Incident Response (Topic 2: Security incident preparation…
Section 5: Incident Response
Incident Response planning
benefits organization respond incident in systematic manner
Improving response time & effectiveness
Respond incidents in a systemic way
Meeting compliance regulation
Topic 2: Security incident
preparation phase
Establish an approach to handle incident
Establish policy and warning to deter
intruder and information collection
Establish communication plan
with stakeholder
Develop incident reporting criteria
Develop a process to active
the incident management team
Establish a secure location
to execute the incident
response plan
Ensure availability of needed equipment
Incident response phase
Identifying incident
Verify if an incident happened
and to find out more detail about
the incident
Assign ownership to an incident handle
verify report or event qualify as incident
Establish the chain of custody
Determine incident severity and escalate as necesary
Containing an incident
Action taken in the containment phase
of incident response work to limit exposure
Active incident response team &
notify appropriate stakeholder
Obtain agreement on action
taken that may affect availability
Get IT representative & relevant virtual team
member to implement containment procedure
Obtain & preserve evidence
Document action
Control & manage communication to the public
Eradicating the root cause
After containment measure have deployed,
Then determine the root and eradicate it
Determine sign and cause of incident
Locate the most recent version of backup
or alternate solution
Remove the root cause
Improve defenses by implementing
protection techniques
Perform a vulnerability analysis
Recovering From incident
This phase to make the affected
system or service are restored
in SDO or BCP
Restore operation to normal
Verify that action taken on restored system were successful
Involve system owner in testing the system
Aid system owner declare normal operation
Lesson learn
Final step in incident response,
a report should be developed to share what has happend
Analyse issues encountered during incident effort
Propose improvement
Present report to relevant stakeholder
Topic 3: forensics
Digital Forensics
Any electronic document or data can be used as digital evidence,
to identifying and analyzing that is legally acceptance
Forensics chain of event
Preserve(data) <- Identify (media)
Present (Evidence)<- Analyze (information)<-
Forensics key element
Data protection
Data acquisition
Imaging
Log file analysis
Network traffic analysis
Digital forensics tool
Computer—Examines non-volatile digital media
Memory—Acquires and analyzes volatile memory
Mobile device—Observes both software and hardware components
Network—Monitors and analyzes network traffic
Topic 4: disaster recovery &
business continutity
Disaster
Disasters are disruptions that cause critical information resources to be
inoperative for a period of time, adversely impacting organizational operations.
Business Continuity Planning
The purpose of business continuity planning (BCP)/disaster recovery planning
(DRP)
Continue offering critical services in the event of a disruption.
Survive a disastrous interruption to activities.
Rigorous planning and commitment of resources are necessary to adequately plan for
such a disaster event.
BCP is primarily the responsibility of senior management.
Business Impact Analysis
The first step in preparing a new BCP is to identify the business processes of
strategic importance.
The BIA should answer three important questions
What are the different business processes?
What are the critical information resources related to an organization’s critical
business processes?
RPO and RTO
RPO is determined based on the acceptable data loss in case of a disruption of
operations
RTO is the amount of time allowable for the recovery of a business function or
resource after a disaster occurs.
The approach to IS BCP matches that of BCP for the greater organization, except
that its focus is on the continuity of IS processing.
Recovery
Backup
There are three types of data backups: full, incremental and differential.
Backup files should be kept at an offsite location