Incident response Flashcards
Responsible for knowing how to handle security incidents
that occur within the organization and for correcting and
documenting the security issue
Computer incident Response Team (CIRT)
Ensures all team members know their role when a security incident occurs.
CIRT Team Leader
builds relationships with outside resources that may be called upon
CIRT Team Leader
Uses technical expertise to assess and ID scale of security incident and know how to correct issues.
CIRT Technical specialist
knows how to document entire response process.
CIRT Documentation Specialist
Responsible for logging each incident, causes of problem and solution
CIRT Documentation specialist
Knows the laws and regulations that organization must follow when it comes to computer forensics and incident response
CIRT Legal Advisor
Document created by every organization which
Define incident categories
defines team member roles and responsibilities
ID’s how/when users are supposed to report potential security incident.
plane exercises to practice for security incidents
Incident Response Plan
First individual user to ID and react to an incident
Goal is to contain the incident
should be trained to know to to immediately respond to basic problems
first responder
Any observable occurrence in a system/network. sometimes provides indication that an incident is occurring
Event
Assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system.
Incident
the Phases of Incident handling process?
Detection and reporting of events
preliminary Analysis and ID
preliminary response
Incident Analysis
Response and recovery
Post incident analysis
Intrusion detection systems or personnel reports
gather/report preliminary information
begin coordinating reporting/ response
Detection and reporting of events
categorize the activity(if upon initial analysis you cannot determine the cause, use category 8: Investigating and update as required)
gather additional info as required
classify as required
send notification messages per SOPs
preliminary analysis and ID
Contain incident/threat
preserve data to allow for further incident analysis
begin chain of custody docs
preliminary Response