Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Lab 8

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 3

Lab #8 – Assessment Worksheet

Craft a Security or Computer Incident Response Policy – CIRT Response Team

Course Name: ______IAP301_____________________________ _______

Student Name: ______Vu Tuan Anh__________________________ _____

Instructor Name: ______Nguyen Tan Danh______________ ____ _____

Lab Due Date: _________5/3/2021________________________________

1. What are the 6-steps in the incident response methodology?


- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Documentation

2. If an organization has no intention of prosecuting a perpetrator or attacker, does it still need an


incident response team to handle forensics?
- The Incident response team needs to take responsibility for forensics as all of itevidence of a
crime.

3. Why is it a good idea to include human resources on the Incident Response Management Team?
- They can help develop job descriptions tohire CSIRT staff, and develop policies and
procedures for removing internal employees found engaging in unauthorized or illegal
computer activity.

4. Why is it a good idea to include legal or general counsel in on the Incident Response
Management Team?
- Legal staff may also be needed to reviewnon-disclosure agreements, develop appropriate
wording for contacting other sites and organizations, and determine site liability for
computer security incidents.

5. How does an incide/nt response plan and team help reduce risks to the organization?
- It reduces risk in how you create and maintain the Incident Response Plan.

6. If you are reacting to a malicious software attack such as a virus and its spreading, during which
step in the incident response process are you attempting to minimize its spreading?
- In most areas of life, prevention is better than cure, and security is no exception. Wherever
possible, you will want to prevent security incidents from happening in the first place.
However, it is impossible to prevent all security incidents. When a security incident does
happen, you will need to ensure that its impact is minimized. To minimize the number and
impact of security incidents.

7. If you cannot cease the spreading, what should you do to protect your non-impacted mission-
critical IT infrastructure assets?
- Remove the affected factors from the system to stop the spread of the virus or code to
other critical areas of IT.

8. When a security incident has been declared, does a PC technician have full access and authority
to seize and confiscate a vice president’s laptop computer? Why or why not?
- This depends on the situation.

9. Which step in the incident response methodology should you document the steps and
procedures to replicate the solution?
- You document stepsand procedures in the follow up step of the process.

10. Why is a port mortem review of an incident the most important step in the incident response
methodology?
- This is done so that in the future when there is a similar incident, the incident response
team will have a better idea of how to handle it and be able to react more effectively and
efficiently.

11. Why is a policy definition required for Computer Security Incident Response Team?
- Policy definition is important because it allows an organization to have documentation on
how the incident response team is supposed to operate as well as who is involved in the
team and what authority each member possesses.

12. What is the purpose of having well documented policies as it relates to the CSIRT function and
distinguishing events versus an incident?
- A policy for the CSIRT team would be more detailed as far as how the organization handles
incidents. The policy for the CSIRT team is would be more broad and easier to organize
instead by identifying members and their functions. Creating a policy for incidents could be
helpful however, not all incidents are the same and therefore multiple policies would be
required
-
13. Which 4 steps in the incident handling process requires the Daubert Standard for Chain-of-
Custody evidence collection?
- Identification, containment, eradication, recovery

14. Why is syslog and audit trail event correlation a critical application and tool for CSIRT incident
response handling?
- They are critical to the CSIRT incident response handling because they track and log
incidents.
15. Why is File Integrity Monitoring alerts/alarms a critical application and tool for the CSIRT
incident response identification?
- These are critical application and tools for CSIRT incident response identification because it
provides the real-time monitoring of an incident.

You might also like