The Incident Response Plan Research that Earned Me Grade 94/100 (Distinction)

1.0. Purpose and Scope

This document gives perspective to the overall plan and strategy of responding to information security incidents at Netstream Inc. Roles and responsibilities of participants, categorization of incidents, procedures, and reporting requirements are defined. The goal of this incident response plan is to detect and respond to information security incidents, identify their scope and risk, respond properly to them, adequately communicate the results and risk to all stakeholders, and reduce the likelihood of the incident re-occurrence.

Netstream handles and controls huge sensitive data which includes but is not limited to personally identifiable information, payment data, copyrighted contents, etc. It is our goal to reduce the risk of unauthorized access, disclosure or security breach of this sensitive data, thus, to this end; this incident response plan shall be used as a baseline for detecting and responding to potential information security incidents.

Employees are being trained annually to deal with any matter that pertains to the event of an information security incident by reporting recognized anomalies in the systems they utilize regularly to the Incident Response Team Lead to investigate and confirm the event. This incident response plan should be activated at the scent of any event of an information security incident.

2.0. Event Handling

Whenever a Netstream employee discovers a suspicious anomaly in the network, system, or data, or a system alert generates an event, the incident response team must begin to investigate and verify the event. Events are identified anomalies in the behavior of a network, system, processes, or workflow. Incidents are events that compromise the security of an organization or violate the policy and standards of the organization.

Every Netstream employee has a responsibility to be vigilant, be watchful, and see to protect the data stored within the systems the organization supports. Whatever event that threatens the confidentiality, integrity, and availability of the information resources the organization provides or utilized internally should immediately be reported to the supervisor who will, in turn, report the same to the Incident Response Lead

The Cyber Kill Chain Attack Framework is one of the great ways of categorizing incident types against the cyber kill chain stages to discover the severity and risk level of these attacks and their impact on the organization.

Cyber Kill Chain is a series of stages required for an attacker to successfully infiltrate a network to extract data from the network. Hence, each stage exhibits a particular goal along the attacker’s path.

Incidents are events that showcase possible compromise of security or non-compliance with Netstream policy that negatively impacts the organization. The table below shows incident types, their categorization, and level of priority. 

3.0. Incident Response Team (IRT)

Netstream Incident Response Team (IRT) will be comprised of Information Security Management and experienced personnel with immense executive support and inter-departmental participation. This is to ensure other business unit inclusion in the incident response processes which will help fast track investigation, verification, and other vital activities of the team.

The goal of the Netstream Incident Response Team is to organize and align the key resources and team members during a cybersecurity incident to reduce impact and restore operations as fast as possible. Below are the Roles and Responsibilities of the IRT with their Contact Information for easy communication and collaboration.

4.0. Response

This section analyzes the steps to be taken during an incident response with the checklist of key processes, actions, and notifications to be triggered. information asset type at Netstream is categorized using “PEESD” which implies the following with all the assets possessed by the organization.

Every action taken during the response to the incident must be geared towards the containment, eradication, and recovery of the proper functioning of the organization’s information assets.           

The effectiveness of the Netstream incident response team and security tools is dependent on a record of all actions taken during each incident phase. Also, supporting documentation is required with the forensic evidence collected such as disk image, memory dump, activity logs, network traffic, and audits.

The table below contains the reporting checklist that can be used when documenting actions taken to deal with an incident. Netstream’s goal is to meet the measure up to the standard of compliance agencies such as PCI DSS, HIPAA, HITECH, GDRP, ISO, etc, and prioritize business continuity to minimize impact and cost.

5.0.    Impact(s) of Cybersecurity Breach on the Organization

A cybersecurity breach is a weighty cost to bear by organizations; this is why every organization must ensure they have well-structured security policies that govern the operation of the organization ranging from User Acceptable Use of Information Resources Policy to Access Control Policy and so on.

It cannot be overemphasized how much of an attack many organizations have had due to insider threat, accidental mistake, and ignorance of many employees about security best practices in the workplace such as clear desk policy, locking the computer screen while away, shredding all unused documents, etc.

With the above noncompliant acts and other violations of security policy, the organization can experience a data breach and suffer the consequence of litigation. Litigation is the summoning of an offender to the law court for trial based on violation of laws and policies which can further lead to paying huge fines or forfeiting the organization’s license.

Also, the organization can lose its brand reputation. This means, the public or users generally will no longer trust the organization which will lead to revenue loss, and sometimes if not manage well can lead to bankruptcy.

Furthermore, a cybersecurity breach can lead to online vandalism, that is, the organization’s online presence can be used to misrepresent the organization thereby making the company lose its stakeholders and partners.

Lastly, if a data breach is caused by an unsolicited activity on illegal websites maybe as initiated by one of the employees without the consent of the management, Internet Service Providers can withdraw the organization’s internet service license.

6.0. Conclusion

To ensure that the organization consistently grows in productivity, world impact and in influencing the global economy, cybersecurity resilience must be given a great deal of attention. One of the ways to achieve this is to have a well-structured and implementable incident response plan in place.

Cybersecurity breaches cannot be totally eradicated but can be prevented, this greatly depends on how the organization takes its security policies seriously. Also, provision must be provided for a periodical update of the incident response plan to keep evolving to combat the newest adversarial tactics and procedures (TTP).

Information Sources

AT&T. “2020 Incident Response Team: Roles and Responsibilities | AT&T Cybersecurity.” Cybersecurity.att.com, 2020, cybersecurity.att.com/resource-center/ebook/insider-guide-to-incident-response/arming-your-incident-response-team. Accessed 14 May 2021.

AT&T. “2020 Security Incidents: Types, Triage, Detection Explained | AT&T Cybersecurity.” Cybersecurity.att.com, 2020, cybersecurity.att.com/resource-center/ebook/insider-guide-to-incident-response/types-of-security-incidents. Accessed 14 May 2021.

CompTIA. The Official CompTIA Security+ Student Guide (Exam SY0-601). 2020, pp. 466–473, interactive.torontosom.ca/courses/1992/files/119982/download?wrap=1. Accessed 13 May 2021.

NIST. Computer Security Incident Handling Guide. 2nd ed., 2012, pp. 6–18, dx.doi.org/10.6028/NIST.SP.800-61r2. Accessed 14 May 2021.

Otterloo, Sieuwert van. “Information Security - Asset Inventory.” ICT Institute, 9 Dec. 2016, ictinstitute.nl/information-asset-inventory/. Accessed 14 May 2021.