Incident Response Paper (Individual Grade)
Using NIST’s SP 800-61 “Computer Security Incident Handling Guide), each student in the team will select a different risk from the Risk Assessment, or select a scenario from the NIST SP 800-61, Appendix A-2 Scenarios and will answer the questions in Section A.1 Scenario Questions to include: Preparation, Detection and Analysis, Containment, Eradication, and Recovery, Post-Incident Activity, General Questions specific to the risk. Students are encouraged to work individually on their scenario, but bounce questions off of team members if they hit a question they cannot address. Your textbook also has information about security tools and controls that can be referenced here to help with the procedures.
Using NIST’s SP 800-61 “Computer Security Incident Handling Guide), develop an Incident Response Plan (IRP) that will include your Scenario in the Procedures Section. Google and find other actual IRPs on the Internet and review to see what type of information is included. At a minimum, your plan should include the following sections (each section, other than procedures, only needs to be a couple of sentences in length – students are graded individually on the Procedures section). Students will submit their IRP, including the common team portion for individual grading.
Roles: who will respond to the incident and notification/escalation procedures? Who is responsible for writing the IRP?
Training: specify a training frequency
Incidents: What defines an “incident”? Define some security incidents that you may encounter on your network.
Incident Notification: What happens when an incident is detected?
Reporting/tracking: How will you report and track incidents? What about capturing “lessons learned”?
Procedures (Individual Sections – Identify the name of the student in the paper who prepared their section)
Risk: (Identify the Risk from the Risk Assessment Table by Number and Name of Student)
Detection and Analysis
Incident Response Paper – 30 points – Individual Scoring Guide for Procedures Section
Paper is, at least 7 pages in length, excluding cover pages, TOC, reference page.
Paper is fewer than 7, but great than 4.
Paper is fewer than 4 pages in length.
Identified procedures are appropriately linked to a different risk located in the risk assessment table, or a different scenario from the Appendix A2
Some content is relevant to an Incident Response Plan
Content is not relevant
All questions from Appendix A1 in all sections are addressed and will effectively address the risk if it were actualized.
At least 50% of the questions from Appendix A1 are addressed.
Fewer than half of the questions were addressed.
Grammar, clarity, organization
The document is well-written and ideas are well developed and explained. Sentences and paragraphs are grammatically correct. Uses subheadings appropriately.
The document effectively communicates ideas. The writing is grammatically correct, but some sections lack clarity.
The document is poorly written and confusing. Ideas are not communicated effectively.
Procedures section is unique to each individual student.
Some content has been copied from other work
Paper lacks originality.