Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
500 views3 pages

Assignment-1: Incident Response Plan

The incident response plan outlines steps to respond to a security incident where an unknown person gained access to confidential payroll information when the payroll administrator was absent. Key steps include: 1) validating policies were violated, renewing staff access cards, and investigating system/network changes; 2) analyzing CCTV footage, access records, and logs to identify the intruder and determine the scope of changes made; 3) containing the incident by isolating systems, notifying employees, and correcting payroll changes; and 4) reviewing response procedures and providing training to avoid future incidents.

Uploaded by

Shishir Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
500 views3 pages

Assignment-1: Incident Response Plan

The incident response plan outlines steps to respond to a security incident where an unknown person gained access to confidential payroll information when the payroll administrator was absent. Key steps include: 1) validating policies were violated, renewing staff access cards, and investigating system/network changes; 2) analyzing CCTV footage, access records, and logs to identify the intruder and determine the scope of changes made; 3) containing the incident by isolating systems, notifying employees, and correcting payroll changes; and 4) reviewing response procedures and providing training to avoid future incidents.

Uploaded by

Shishir Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Assignment-1

Incident Response Plan


Scenario 3:
The response to incidents is still the most effective and efficient way of responding quickly to
security events. Incident response plan is aimed at quickly identifying an intrusion, reducing the
consequences, restricting losses and finally fixing the root cause of the incident, to reduce the
likelihood of future attacks.
In order to communicate the activities within the organisation, and where necessary, with
external parties as part of the CSIRT (Computer Security Incident Response Team) through the
NIST Incident Response process, it is important to gather, analyse and react quickly to details of
the incident.
Preparation:
1. Since an unknown person was physically able to access the payroll office during payroll
administrator's absence and got access to confidential payroll information, we will have
to validate the company policies violated by this incident as part of the CSIRT team.
2. In order to limit the cause, all staff's cards that have access to the payroll department
must be immediately investigated and renewed.

Detection and Analysis:


1. When the unit was accessible by the intruder, as per the administrator the mouse cursor
was moved on the application logged-on page while he was way, it is good indications
for an activity.
2. By checking whether the payroll department has a CCTV camera and has caught some
image of an attacker as it will help to recognize the intruder and maybe his motive.
3. Through reviewing the card access control records, we might figure out how many
employees signed in and out at the time of the incident.
4. We can also discuss with other payroll employees with approval of respective senior
managers if they noticed an unknown person at the admin desk throughout the time of
the event and ask admin additional questions if necessary.
5. By performing a file integrity check on admin's system/application logs and by using
different network monitoring tools, a report can be generated to decide what changes
were made to the network by using the system on specific incident date.
6. Perhaps the most important step in the incident handling process is to determine the
effect of an incident it can cause on company.
7. In accordance with the incident response policy of organization and the priority of the
incident, we can now detect and analyse more information about the incident, which
means that we can determine what is to be informed and to whom at what time.
Containment, Eradication, and Recovery:
1. In order to investigate any changes in payroll of an employee at a specific event day, it is
important to inform employees to contact their respective managers if they notice any
changes.
2. Put a disclaimer e-mail to employees so that they do not open files and/or click on e-
mail links sent by the payroll group admin e-mail. In case they did receive an email or
clicked on link they should notify their manager and CSIRT team.
3. Check payroll admin system to find out if they were harmed by intruder by using digital
forensics tools, as that will justify motives of intruder, and keep the system isolated
from the network.
4. Educate and train personnel with e-learning materials to improve employees '
knowledge of current policies leading to the accessibility of the systems in the office
premises.
5. After monitoring and containing the incident we will try to eradicate any threats found
on the tools, to ensure that the network and systems are secured.
6. As a precaution, educate staff on policies with e-learning modules that they do not
exchange passwords or access cards with family and friends. Also renew their passwords
or access card codes if they necessary.
7. Plan a meeting with respective senior manager in case they have an employee who
reported about changes to their payroll information and perform the necessary
corrective changes to ensure that the employee details are secured.

Post-Incident Activity:
1. Schedule a meeting with all concerned parties in order to review recent events and the
appropriate corrective procedures in compliance with company policies.
2. Talk to the relevant teams in detail about the correct measures or steps to avoid these
incidents in the future and provide them with right training modules for the steps. Also
conduct a quiz to check if the information was passed successfully.
3. As a precaution, please ensure that at least two team members are in office if others are
away from desk even when their units are locked. Example by taking breaks at different
time as it helps to protect physical resources.
References:
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident
Handling Guide: Recommendations of the National Institute of Standards and Technology.
doi: 10.6028/nist.sp.800-61r2

You might also like