This document contains journal entries summarizing a case study about incident response and contingency planning. The journal discusses setting up a security incident response team to help prevent, detect, react to and recover from security incidents. It also covers analyzing threats facing an organization through a business impact analysis to determine how to prioritize incident response. The case study discussed in the journal involves investigating a persistent but low-level attack on a company's email server and blocking the attacker's IP address range.

1. Incident Response and Contingency Planning Journal
Incident Response and Contingency Planning Journal
By
Brittany M Gilstrap
ITEC 4341-01
Fall 2011
Macon State College

2. Incident Response and Contingency Planning Journal 1
Journal Entries for Week One 08/22/11 to 08/28/11
Journal Entry One:
There is an incident in which someone on the inside of HAL is trying to get inside e-mail
server by using several different accounts, but is failing to do so (Whitman & Mattord, 2007).
There are multiple attacks, and even though they are using a proxy, and recently moved their
servers into the DMZ, the question is who is creating such a disturbance, why are they trying to
get into the e-mail server, and how are the attempting this incident (Whitman & Mattord, 2007).
This would qualify as a deliberate act of trespass because it is an attempt by an unauthorized
employee for informational access in the e-mail server (Whitman & Mattord, 2007). Risk
identification would be to plan out this process, the system components being threatened is the e-
mail server which could contain confidential information, depending on how critical this
information is, it is an important asset to the company, and should be protected (Whitman &
Mattord, 2007). Identifying the treat is in internal personnel trying to break into the e-mail server
using other people’s log in information, but failing to get through (Whitman & Mattord, 2007).
Lastly, in risk identification, the vulnerable assets are the e-mails on this server that could
potentially be read by prying eyes that are not allowed to see, and possibly threatening critical
information about business operations (Whitman & Mattord, 2007). Next is to do a risk
assessment, and to determine how to value the assets on this e-mail server, it would depend on
how highly critical the information is that is being stored there (Whitman & Mattord, 2007).
There is a high likelihood of attack on the vulnerabilities because it is already in place that
someone is trying to get into this e-mail server, and apparently is using others e-mail accounts to
try to hack in, but is unable to (Whitman & Mattord, 2007). In the end, there will need to be a

3. Incident Response and Contingency Planning Journal 2
decision on risk control to decide what the best route is to protect the server, and to protect these
accounts (Whitman & Mattord, 2007).
Journal Entry Two:
The first question asks who Paul should invite to this meeting to discuss this incident
(Whitman & Mattord, 2007). Obviously Paul will be bringing himself, Amanda whose account
was being used to try to access the e-mail server, and because she is Paul’s boss (Whitman &
Mattord, 2007). Jonathon is the senior systems administrator who recognized these many failed
attempts at being able to get through the proxy, and Paul also asked him to grab Tina who is the
senior network administrator (Whitman & Mattord, 2007). I believe that Richard Xavier, chief
operations officer, William Freund, manager of systems, and Roberta Briscoe, manager of
corporation security, should be present because it did ask for senior personnel to be at this
meeting, and their fields each give them some insight on what to do, and how to approach this
incident (Whitman & Mattord, 2007). Richard would be able to provide potential directions to
follow in this incident, and help to plan for a recovery afterwards to better train employs, and put
policies in place to protect against this kind of incident. William would be able to provide
information on the systems within the organization, and how such an attempt could have
manifested. Roberta would be able to provide information on security needs within the
organization, and would be able to point them in the right direction for protecting the e-mail
server from this attack.
Journal Entry Three:
The second question asks what other information Paul and his team can use to track down
this incident (Whitman & Mattord, 2007). For Paul and his team to track down this incident, it

4. Incident Response and Contingency Planning Journal 3
would be most beneficial to see all the accounts in which the personnel was using to hack into
the e-mail server, also it would help to get all the IP addresses of the computers being used in
this attack, so that they can identify possibly which personnel is making this attack. Also, they
could install software on any IP addresses that show up, so that the computer can track all user
activity, and they would be able to review the personnel in the process of attacking. They could
also possibly find potential giveaways from what the personnel uses the computer for, such as:
social networking, personal interests, etc. They may be able to find out who is causing the
incident.
Journal Entries for Week Two 08/29/11 to 09/04/11
Journal Entry One:
There are twelve categories of threats facing information security, and the most recent top
threats listed in the Computer Security Institute’s Computer Crime and Security Survey fall into
the most of the twelve categories, but not all (Richardson, 2011). First, act of human error or
failure is an accident of the user by deleting files on the desktop, deleting files on the server,
releasing important information, modification of files, and unauthorized software installations,
but there were no threats found in the survey for this category (Whitman & Mattord, 2007).
Second, compromise of intellectual property consists of piracy, information leaks outside of
policy, and violation of copyright material (Whitman & Mattord, 2007), from the survey “insider
abuse of internet access or email (pornography, pirated software, etc.) falls within this category
(Richardson, 2011). Third, deliberate acts of trespass consists of unauthorized access of logical
and physical counterparts of an organization (Whitman & Mattord, 2007), from the survey “theft
or unauthorized to intellectual property/PII/PHI due to mobile device theft/loss and all other

5. Incident Response and Contingency Planning Journal 4
causes, password sniffing, system penetration by an outsider, unauthorized access or privilege
escalation by insider, exploit of wireless network/DNS server/user’s social network profile/client
web browser/public facing website”, fall within this category (Richardson, 2011). Fourth,
deliberate acts of information extortion consist of blackmailing for assets (Whitman & Mattord,
2007), from the survey “extortion or blackmail associated with threat of attack or release of
stolen data”, falls within this category (Richardson, 2011). Fifth, deliberate acts of sabotage or
vandalism consist of modification or destruction of information or physical assets (Whitman &
Mattord, 2007), from the survey “website defacement and instant messenger abuse”, fall within
this category (Richardson, 2011). Sixth, deliberate acts of theft consist of stealing assets from an
organization (Whitman & Mattord, 2007), from the survey “financial fraud and laptop or mobile
device theft or loss”, fall within this category (Richardson, 2011). Seventh, deliberate software
attacks consist of phishing, email viruses, viruses, worms, malicious coding, DoS, and DDoS,
from the survey “malware infection, bots/zombies within the organization, DoS, and fraudulently
represented as sender of phishing messages”, fall within this category (Richardson, 2011).
Eighth, forces of nature consists of threats from hurricanes, tornadoes, fire, floods, ESD,
humidity, dust, mudslide, solar flare, and earthquake, there were no threats from the survey that
would have been listed in this category (Whitman & Mattord, 2007). Ninth, quality of service
deviations from service providers consist of power blackouts, surges, spikes, sags, and network
outages, there were no threats from the survey that would have been listed in this category
(Whitman & Mattord, 2007). Tenth, technical hardware failures or errors consist of device
failures or defects; there were no threats from the survey that would have been listed in this
category (Whitman & Mattord, 2007). Eleventh, technical software failures or errors consist of
bugs or coding problems and trapdoors, there were no threats from the survey that would have

6. Incident Response and Contingency Planning Journal 5
been listed in this category (Whitman & Mattord, 2007). Twelfth, technological obsolescence
consist of outdated technology, there were no threats from the survey that would have been listed
in this category (Whitman & Mattord, 2007).
Journal Entry Two:
Reviewing the 2010-2011 Computer Crime and Security Survey, there is a lot of great
information that supports the importance of security against these threats. After the previous
threats were established, there are ways that were implemented to prevent or fix these threats,
which is the most important thing to do, fix any security problems. The top most implemented
action taken after a threat was to patch any software vulnerabilities, this is very important
because security flaws in software can cause major problems, and can potentially leave a
backdoor open for anyone to get into your system (Richardson, 2011). Next few actions that are
taken after threats: patched hardware, additional security installed, forensics investigation,
awareness training, and policy changes (Richardson, 2011). Two reasons why people did not
report these incidents to enforcement is because they did not believe that enforcement could help
or that the incident was not major enough to need to report (Richardson, 2011). The top eleven
security technologies used for protection that is over a 50% rating, starting from the highest
percentage is: anti-virus, firewall, anti-spyware, VPN, patch management, encryption of data
being transferred, IDS, encryption of data being stored, URL filtering, application firewall, and
intrusion prevent system (Richardson, 2011). The top five ways to evaluate security include from
most to least: internal audits, automated tools, web monitoring, external audits, and internal
penetration testing (Richardson, 2011). These are all important statistics that could help an
organization see what areas they may need to focus in to fix their security problems or how they
can measure the protection they’re really getting out of their security tools.

7. Incident Response and Contingency Planning Journal 6
Journal Entry Three:
An important matter that organizations should use to better protect themselves from the
potential threat of an attack is to do a business impact analysis which would determine how bad
of an impact an attack would be for an organization (Whitman & Mattord, 2007). This helps with
planning for threats allowing you to prioritize what would be most important to deal with first
over others that may just be an annoyance than a real threat (Whitman & Mattord, 2007). The
first step is to identify threats to the organization and prioritize them, and then a business unit
analysis determines how different parts of the organization would be affected by treats (Whitman
& Mattord, 2007). Next, scenarios should be developed to establish how a threat would be
handled in a real situation listing information such as: possible vulnerabilities, threat agent,
activities related to the attack, assets in trouble, and follow ups (Whitman & Mattord, 2007).
Next, a potential damage assessment should be done, and this helps identify a worse, best, and
most likely scenario for an attack including what would happen, the risk with it, the cost to the
organization, and probability of it spreading (Whitman & Mattord, 2007). Lastly, a subordinate
plan classification will use the different plans drawn together to establish the aftermath of a
scenario (Whitman & Mattord, 2007).
Journal Entries for Week Three 09/05/11 to 09/11/11
Journal Entry One:
Scripted attacks are not as bad as live attacks because they are set up to do whatever the
script says, so it will continuously be doing the same thing over and over. This would be more of
an annoyance than anything, but it makes it a lot worse when a live person is doing the attacks
because it would be for a more rewarding gain like stealing information than just being

8. Incident Response and Contingency Planning Journal 7
annoying. A live person attempting these attacks would be able to adapt to whatever defenses the
organization throws up in its path which is what was happening in the scenario. They were
blocking out the ports it was using, which if this was a scripted attack then it would have stopped
this incident, but it didn’t (Whitman & Mattord, 2007). Paul decided to view the logs of the
network, and found out that it was using a certain range of addresses, so they blocked this range
to prevent this attacker from getting into the system (Whitman & Mattord, 2007). It is very
important to take incidents like this as serious even when it may not pose a serious threat in the
end because you never know how dangerous it is until something catastrophic happens that could
jeopardize important business assets, and possibly put the company in some trouble. Never
underestimate an attack no matter how simple it may seem because it could cost you more than
you reckon.
Journal Entry Two:
This live attack was more of an annoyance than it was a real incident because attacker
was performing the same attack over and over which eventually led him to being found out, and
blocked from getting through (Whitman & Mattord, 2007). It would have been more of an
incident if he was hiding his ports so that they wouldn’t be found out, if he used more
sophisticated strategies to get through, and if he used a different range of ports that were not so
easily blocked out by the range Paul had used (Whitman & Mattord, 2007). Had he used a port
scanner to find a weakness in the defenses, and used that to exploit the system, I think he
would’ve had better chances of getting through (Whitman & Mattord, 2007). Regardless an
annoyance or real incident, they should both be treated seriously because you never really know
what could possibly happen, and it is better to be overprotective of your assets than risk them.

9. Incident Response and Contingency Planning Journal 8
Journal Entry Three:
The importance of the chapter that correlates to this case study is how to prepare,
organize, and prevent incidents from occurring (Whitman & Mattord, 2007). This is typically
done by the security incident response team (SIRT) which “is a set of policies, procedures,
technologies, people, and data necessary to prevent, detect, react, and recover from an incident
that could potentially damage the organization’s information” (Whitman & Mattord, 2007).
There are three different ways of making up these SIRTs: centralized is one group maintaining
the whole organization, distributed is several teams split up into different portions of the
organization, and coordinating is a advice team that helps the others teams out without managing
over them (Whitman & Mattord, 2007). The company should probably have a distributed SIRT
set up to maintain the different portions of the organization, so that if problems arise in this large
company, there are enough teams to handle it (Whitman & Mattord, 2007). These should be
inside employees from the IT department doing these SIRTs, I don’t believe that outsourcing is
necessary because it does not seem they are suffering too bad to maintain their own incidents
(Whitman & Mattord, 2007). Services that are offered by SIRT include: reactive
(alerts/warnings, incident/vulnerability/artifact handling), proactive (audits, announcements,
maintenance, intrusion detection systems, and configuration), and security management (risk
analysis, evaluation/certification, business continuity/disaster recovery planning, and training)
(Whitman & Mattord, 2007). These are all very important services that will come in handy to
better prepare the organization for incidents, and the SIRT will definitely be beneficial to the
improvement of incident response and contingency planning (Whitman & Mattord, 2007).

10. Incident Response and Contingency Planning Journal 9
Journal Entries for Week Four 09/12/11 to 09/18/11
Journal Entry One:
This case study consists of a new way to protect the organization from security threats
that firewalls, intrusion detection systems, and scanners are doing, but this can be a pretty costly
expense for the company because of yearly subscription fees, and hardware costs (Whitman &
Mattord, 2007). JJ had mentioned a better way to save money, and protect the company the same
way that all these technologies had that he learned from a meeting at another company (Whitman
& Mattord, 2007). His approach was to use open source software which would save a lot of
money in the long run, but could prove costly up front because they would either have to hire
someone who is trained for this software or send their own employees off for training (Whitman
& Mattord, 2007). It is important for companies to try to save as much money as possible
because they do have to cover very large costs, but they shouldn’t cut money in a very important
part of the company because securing the systems from any attacks should be top priority
(Whitman & Mattord, 2007). It could prove to be more costly if this newer approach doesn’t
work as well as they think because an attack could cost the company its business if it were too
catastrophic, and did more damage than repairable. Management would need to weigh the option
of sticking with what they have because they know it works or trade it out for the new open
source approach to see if it can cover what the other approach was doing, and save them the
expected amount of money (Whitman & Mattord, 2007).
Journal Entry Two:
JJ suggested that the intrusion detection system should be dropped from being network-
based to being host-based instead; Paul agrees that this will be a great idea, and asks for

11. Incident Response and Contingency Planning Journal 10
technology to be found for this suggestion (Whitman & Mattord, 2007). Easily enough, a host-
based intrusion detection system would be the solution because rather than it being placed on the
network, and monitoring everything over the network (network-based IDS), it actually is placed
on one host, and only monitors everything happening on that host (Whitman & Mattord, 2007).
HIDS basically monitors any alterations, deletions, or creations in the system files and system
configuration of the host computer (Whitman & Mattord, 2007). “The HIDS triggers an alert or
alarm when one of the following changes occurs: file attributes change, new files are created, or
existing files are deleted” (Whitman & Mattord, 2007). The HIDS can determine if an attack is
going to happen, if it has happened, or is going on, and can tell if it was successful at its attempt,
but fortunately keeps its own log file of everything that has happened to better identify what
happened (Whitman & Mattord, 2007). The advantages to implementing HIDS is specific to the
host computer that it is on, so it is capable of detecting things on that host that slipped by a
NIDS, not affected by switched networks, and by comparing audit files to the current files, the
HID can detect problems (Whitman & Mattord, 2007). The disadvantages of implementing
HIDS is that it takes a lot more managing because it resides on each host rather than a whole
network, unable to defend against direct attacks or operating system targeted attacks, only
capable of monitoring that one sole device, vulnerable to DOS, requires large amounts of storage
for audit logs, and reduction in performance of the host computer (Whitman & Mattord, 2007). I
think host-based IDS would be beneficial to implement because it does solely target that host
computer, and can protect it better than just a network wide IDS that could have things slip
through if there is a lot of traffic over the network (Whitman & Mattord, 2007). The only reason
I would not suggest doing a host-based IDS is that it does require a lot of additional attention to
each host with this software because it isn’t watching over the whole network, just whichever

12. Incident Response and Contingency Planning Journal 11
devices you decide to install it on, so if problems arise, you may have to go to each computer to
determine the problem (Whitman & Mattord, 2007).
Journal Entry Three:
JJ is looking for more information on open source software, and training for it, so I found
a company that offers both OpenLogic.com. “OpenLogic provides enterprises with open source
support, scanning, provisioning and governance solutions to safely and efficiently leverage open
source software. OpenLogic gives enterprises the choice, confidence, and control necessary to
mitigate open source risks while maximizing cost savings” (OpenLogic, Inc., 2011). OpenLogic
provides open source software packages with support in developer or production options
(OpenLogic, Inc., 2011). The developer support is offered with more than 500 Linux packages,
but only supports during business hours (five days a week, twelve hours each) with a four hour
response, and can work through phone, email, or online support (OpenLogic, Inc., 2011). The
production support is offered with more than 500 Linux packages, and supports all day every day
with a one hour response, and can work through phone, email, or online support (OpenLogic,
Inc., 2011). For all packages, OpenLogic offers updates for all bugs or security vulnerabilities to
keep software up to date, and keep your systems protected (OpenLogic, Inc., 2011). One of the
great aspects of this open source option is that it does offer training depending on the package,
for example: open source build and test tools range from two to ten days per each subtopic, and
open source clustering lasts three days, but also offers package training for: apache HTTP server,
application framework/servers, databases, Java, PHP, and web services (OpenLogic, Inc., 2011).
I would recommend this HAL because it is open source as they wanted, it does focus packages
around Linux, it offers training for particular packages, and I think this would be a beneficial in
their search for open source software (OpenLogic, Inc., 2011).

13. Incident Response and Contingency Planning Journal 12
Journal Entries for Week Five 09/19/11 to 09/25/11
Journal Entry One:
The Fourth Amendment states “the right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and
no warrants shall issue, but upon probable cause, supported by the Oath or affirmation, and
particularly describing the place to be searched, and the persons or things to be seized”
(Whitman & Mattord, 2007). The Fourth Amendment is very important to a company because
you never know when a disaster could happen that an employee caused, you have to wonder how
the best way is to prove it, and that is through the legal use of search warrants (Whitman &
Mattord, 2007).
Journal Entry Two:
The Fourth Amendment may protect against unlawful searches and seizures without a
warrant, but there are ways to get around this, there are seven exceptions to the Fourth
Amendment, they include: “consent, plain view, exigent circumstance, inventory search, border
search, international issues, and search incident to a lawful arrest” (Whitman & Mattord, 2007).
The two most prominent exceptions are consent and plain view; consent states that the person of
interest allows for law enforcement to search their personal belongings without refusal, and plain
view states that an item is observable without having to change anything in the environment to
have access to it (Whitman & Mattord, 2007). Now two problems arise with consent, if consent
is given how much consent is truly given to search the environment or just a small piece of it,
and the other refers to who can actually give consent to search something (Whitman & Mattord,
2007). This relates to the class material because you may need to search an employee’s

14. Incident Response and Contingency Planning Journal 13
computer, and you need to know the best way to do that, even if you have to follow one of these
exceptions to do it.
Journal Entry Three:
It is rough determining what is pushing passed the limit, and what isn’t whether they
require a warrant or just probable cause to search someone (Whitman & Mattord, 2007). The
1976 Copyright Act was created to help protect not only physical property, but intellectual
property as well (Whitman & Mattord, 2007). Though it may be a person’s property, if they are
at work, and they decide to store their personal information on a computer leased to them
through the company, then they are set to stand by the polices of the company because it is the
company’s property (Whitman & Mattord, 2007). The Electronic Communications Privacy Act
of 1986 states the regulation of wire, electronic, and oral interceptions, this includes: disclosure,
distribution, possession, confiscation, authorization, and reports of these interceptions (Whitman
& Mattord, 2007). The Privacy Protection Act of 1980 states that journalists do not have to
forfeit their work to law enforcement until it is published for the public to view (Whitman &
Mattord, 2007).
Journal Entries for Week Six 09/26/11 to 10/02/11
Journal Entry One:
Due to the anthrax scare the mailroom had, there are other catastrophes that could take
place in the mailroom that could cause problems for company (Whitman & Mattord, 2007). I
think the next obvious scare in the mailroom that is related to the anthrax scare would be a
package with a bomb inside, that could cost many lives, or even disrupt business for a very long
time (Whitman & Mattord, 2007). Another catastrophe that could possibly happen is the mailing

15. Incident Response and Contingency Planning Journal 14
of an electronic device such as a jump drive that someone may put in their computer, and it starts
infecting the system, then the network, putting everything at risk of being compromised
(Whitman & Mattord, 2007). Business operations need to be careful in order to protect human
lives, but also the company itself because a catastrophe could put the business out for weeks or
months, maybe even forever depending on how drastic it is (Whitman & Mattord, 2007).
Journal Entry Two:
I believe the most important goal when planning for the resumption of critical business
functions at an alternate site for four weeks would be to plan to be back at the primary site as
soon as possible, and only take what is absolutely necessary for work with them to the alternate
because it is not a long term standing (Whitman & Mattord, 2007). If instead it lasted for thirty
weeks, I would suggest just focusing on maintaining business to the utmost, and taking
everything that you can easily enough, so that it is readily available in case you need it (Whitman
& Mattord, 2007). With it being such a long time, the business continuity plan would be used to
help keep everything flowing smoothly because it helps with business functions for long periods
of time, and would work concurrently with the disaster recovery plan (Whitman & Mattord,
2007). For devices you are unable to move off-site there is the option to do remote journaling
where it would transfer data from the primary site to the off-site, so that it is still available
(Whitman & Mattord, 2007).
Journal Entry Three:
The contingency planning management team (CPMT) is normally involved with setting
up alternate sites in the case of a disaster, and they generally focus on the cost that is acceptable
for what has happened (Whitman & Mattord, 2007). There are five sites that are capable of

16. Incident Response and Contingency Planning Journal 15
supporting a company at an alternate, and there are three agreements that can also be considered
(Whitman & Mattord, 2007). If cost is a big deal then the CPMT would go with a cold site which
would have long term setup time, but does not have hardware or telecommunications (Whitman
& Mattord, 2007). If cost isn’t too important then a warm or hot site would be used; a warm site
would offer partial hardware and telecommunications for a medium setup of time, and a hot site
would offer full hardware and telecommunications, and a short setup time (Whitman & Mattord,
2007). If cost just doesn’t matter at all then the CPMT could choose to go with mobile or
mirrored sites which are costly; a mobile site is hardware, telecommunications, and setup time
dependent, so it would need to be researched if they are capable of making this mobile, and a
mirrored site would have full hardware and telecommunications, with no setup time because it is
already setup (Whitman & Mattord, 2007). Three agreements that a company can decide on are
timeshare, service bureaus, and mutual agreements where a company basically signs a contract
with another business, and in different manners, they offer portions or full facility space to take
in a company that has suffered from a disaster (Whitman & Mattord, 2007). Subject area experts
are just that, experts in their particular fields that can decide what is best for their field and what
all they will need to make it possible to continue work in their field (Whitman & Mattord, 2007).
Summary:
Some of the most important findings covered in these case studies relate directly to the
overall objective of this class: risk management, business impact analysis, incident response
plan, disaster recovery plan, business continuity plan, and the threats that make these very
important pieces of any business (Whitman & Mattord, 2007).

17. Incident Response and Contingency Planning Journal 16
The main goal of all of this is to protect the confidentiality, integrity, and availability of
information in an organization (Whitman & Mattord, 2007). There are twelve threat categories
(previously listed in a journal entry) that threaten the CIA of information, and this is the most
important asset in the company (Whitman & Mattord, 2007).
Risk management protects the CIA of information by finding the vulnerabilities
threatening information systems, and a thorough plan to follow for mitigating these risks
(Whitman & Mattord, 2007). Risk management uses risk identification, risk control, and risk
assessment in handling risks threatening the information systems (Whitman & Mattord, 2007).
A business impact analysis is beneficial to help assess what different risks can pose to the
company’s day to day business, whether one threat doesn’t do anything to disrupt business, but
another one could threaten the livelihood of the business (Whitman & Mattord, 2007). This
prioritization of threats help to identify what is the worst risk to the company that should be
taken care of before something that is not as risky (Whitman & Mattord, 2007).
The incident response plan is the next step taken when a threat actually attacks an
organization; this plan helps to identify what it is, and what should be done to manage the threat
at the time it is attacking (Whitman & Mattord, 2007). The incident response plan “focuses on
intelligence gathering, information analysis, coordinated decision making, and urgent actions”
(Whitman & Mattord, 2007). The disaster recovery plan helps with recovering the business from
any disaster that strikes, and this can be beneficial in lowering the chances of loss (Whitman &
Mattord, 2007).
The disaster recovery plan “focuses on preparations completed before and actions taken
after the incident” (Whitman & Mattord, 2007). Lastly, the business continuity plan helps

18. Incident Response and Contingency Planning Journal 17
identify ways to continue business at alternates for long periods of time until business can run at
the primary site (Whitman & Mattord, 2007).
In conclusion, these are all very important pieces in taking care of the business to protect
it from threats, and to plan for actions to take if there is a disaster that threatens the livelihood of
a company (Whitman & Mattord, 2007).

19. Incident Response and Contingency Planning Journal 18
Reference
OpenLogic, Inc. (2011). Openlogic: Helping enterprises use open source software. Retrieved
from http://www.openlogic.com/index.php.
Richardson, Robert. (2011). 2010/2011 computer crime and security survey. New York, NY:
Computer Security Institute. Retrieved from http://gocsi.com/survey.
Whitman, M. E., & Mattord, H. J. (2007). Principles of incident response and disaster recovery.
Boston, MA: Course Technology, Cengage Learning.