IT 552 Module Five Assignment Rubric
The purpose of this assignment is to develop an incident response plan to combat a specific security gap.
Prompt: In the Case Document, one of the security gap analyses indicated a high number of laptop thefts and a high number of security incidents. Because of
this recent increase in theft and security incidents, the chief information security officer asks you to develop an incident response plan. Submit a plan including
the eight basic elements of an incident response plan, and procedures for sharing information with outside parties. See the Oregon state incident response
template as a sample, but all work should be original.
Specifically, the following critical elements must be addressed:
Include the eight basic elements of an incident response plan.
Describe procedures for sharing information with outside parties.
Guidelines for Submission: Your paper must be submitted as a 4 to 6 page Microsoft Word document with double spacing, 12-point Times New Roman font, and
one-inch margins.
Critical Elements Proficient (100%) Needs Improvement (70%) Not Evident (0%) Value
Eight Basic Elements Explains the eight basic elements of
an incident response plan
Minimally explains eight basic elements of
an incident response plan
Does not explain the eight basic
elements of an incident response plan
35
Procedures for Sharing
Information
Describes the procedures for sharing
information with outside parties
Insufficiently describes the procedures for
sharing information with outside parties
Does not describe the procedures for
sharing information with outside
parties
35
Articulation of
Response
Submission has no major errors
related to citations, grammar,
spelling, syntax, or organization
Submission has major errors related to
citations, grammar, spelling, syntax, or
organization that negatively impact
readability and articulation of main ideas
Submission has critical errors related
to citations, grammar, spelling, syntax,
or organization that prevent the
understanding of ideas
30
Earned Total 100%
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
http://www.oregon.gov/das/OSCIO/Documents/incidentresponseplantemplate.pdf
http://www.oregon.gov/das/OSCIO/Documents/incidentresponseplantemplate.pdf
<agency> Information Security Incident Response Plan <Date>
1
Information Security
Incident Response Plan
Agency:
Date:
Contact:
<agency> Information Security Incident Response Plan <Date>
2
TABLE OF CONTENTS
Introduction ...................................................................................................... 3
Authority ........................................................................................................... 4
Terms and Definitions ......................................................................................
This document is a risk assessment report that contains several sections analyzing approaches to risk assessment for an organization's IT architecture. It discusses evaluating risk, qualitative and quantitative approaches, the organization's departments and how they interconnect, security certifications, and tools for conducting risk management research such as the Plus, Minus, Interesting method and applying the "what if" approach. The report provides an in-depth analysis of how to properly assess and manage risks to an organization's IT systems.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
Generic Sample Company has developed an Information Security Incident Response Plan to effectively handle security incidents. The plan establishes an Information Security Subcommittee to govern incident response. It defines roles and responsibilities, and outlines the incident response process including identification, classification, triage, evidence preservation, forensics, eradication, confirmation of elimination, and resumption of operations. The plan also covers education/awareness, communications, and compliance requirements.
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are:
The document provides information about Leo Lourdes and his foundation in cyber security. Leo Lourdes has extensive training and certifications in IT management, project management, information security and service management. The objective of his cyber security foundation is to prevent harm to computer networks, applications, devices and data. The training covers topics such as the CIA triad, security governance, risk management and cyber threats.
This document discusses best practices for cybersecurity policy and governance in government organizations. It emphasizes the importance of aligning security policies with business objectives to enable operations rather than hinder them. Effective risk management requires identifying critical assets, analyzing threats and vulnerabilities, and understanding breach implications. It also stresses the need for strong executive support of security policies and constant policy refreshment as technologies change.
Vskills Certified Network Security Professional Sample MaterialVskills
The document discusses security planning and policies. It begins by defining a security policy and information security management system (ISMS). It then discusses the importance of security planning, which involves risk assessment to identify assets, threats, and risks. The key aspects of risk assessment covered are identifying assets, risks to assets, and risk sources. It also discusses identifying security threats and contingency planning. Finally, it discusses different types of security policies an organization can implement, including password, email, internet, backup and access policies. The overall document provides guidance on developing a comprehensive security program through planning, policies and procedures.
This document is a risk assessment report that contains several sections analyzing approaches to risk assessment for an organization's IT architecture. It discusses evaluating risk, qualitative and quantitative approaches, the organization's departments and how they interconnect, security certifications, and tools for conducting risk management research such as the Plus, Minus, Interesting method and applying the "what if" approach. The report provides an in-depth analysis of how to properly assess and manage risks to an organization's IT systems.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
Generic Sample Company has developed an Information Security Incident Response Plan to effectively handle security incidents. The plan establishes an Information Security Subcommittee to govern incident response. It defines roles and responsibilities, and outlines the incident response process including identification, classification, triage, evidence preservation, forensics, eradication, confirmation of elimination, and resumption of operations. The plan also covers education/awareness, communications, and compliance requirements.
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are:
The document provides information about Leo Lourdes and his foundation in cyber security. Leo Lourdes has extensive training and certifications in IT management, project management, information security and service management. The objective of his cyber security foundation is to prevent harm to computer networks, applications, devices and data. The training covers topics such as the CIA triad, security governance, risk management and cyber threats.
This document discusses best practices for cybersecurity policy and governance in government organizations. It emphasizes the importance of aligning security policies with business objectives to enable operations rather than hinder them. Effective risk management requires identifying critical assets, analyzing threats and vulnerabilities, and understanding breach implications. It also stresses the need for strong executive support of security policies and constant policy refreshment as technologies change.
Vskills Certified Network Security Professional Sample MaterialVskills
The document discusses security planning and policies. It begins by defining a security policy and information security management system (ISMS). It then discusses the importance of security planning, which involves risk assessment to identify assets, threats, and risks. The key aspects of risk assessment covered are identifying assets, risks to assets, and risk sources. It also discusses identifying security threats and contingency planning. Finally, it discusses different types of security policies an organization can implement, including password, email, internet, backup and access policies. The overall document provides guidance on developing a comprehensive security program through planning, policies and procedures.
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
This document provides an overview of roles and responsibilities related to information security at RLK Products. It describes job descriptions for key information security roles including the Information Assurance/Security Officer, Risk and Contingency Manager, System Owner, Security Operations Manager, Computer Security Specialist, Telecommunications Specialist, Web Administrator, Database Administrator, Systems Architect, and System Administrator. Each role has specific duties for developing, implementing, and maintaining policies, procedures, training, risk assessments, and technical controls to protect RLK's information systems and data.
ISE 620 Final Project Guidelines and Rubric Overview .docxchristiandean12115
ISE 620 Final Project Guidelines and Rubric
Overview
The final project for this course is the creation of a security posture and response analysis report.
With the explosion of the internet, we are living in a world with no boundaries. Organizations rely on e-commerce as a huge portion of their business models.
With a move to more internet-based commerce and banking, there has been an increase in security threats, network penetrations, and intrusions. Information
systems have inherent weaknesses and can be vulnerable to attacks from internal users, external customers, and anyone intending on malicious activity. This is
why security incident detection and response has become an integral component of information technology programs; businesses and organizations must be
able to handle security incidents effectively and efficiently. To this end, your final project will provide you with the opportunity to report on the detection of and
response to an information security incident of a potential client.
For the final project, imagine that you are a cybersecurity consultant working for Business Secure, a fictitious cybersecurity firm. Business Secure has been
approached by Health Network Inc. (HealthNet), a fictitious health services organization. HealthNet would like Business Secure to develop a request for proposal
(RFP) based on HealthNet’s security needs. To support the creation of this RFP, the practice director has gathered key details from HealthNet and has tasked you
with conducting a review of these materials and formulating your opinions and preliminary recommendations within a security posture and response analysis
report.
To develop this report, you will need to begin by conducting a comprehensive review and evaluation of the Project Plan Backgrounder document, which provides
an overview of the company and details its cyber policies and procedures. With preliminary security assessments already completed and provided to you by the
practice director, you will also review a Nessus scan and Snort report as well as HealthNet’s policies and procedures:
Incident Handling and Response Procedures
Incident Detection and Response Policy
Electronic Password and Authentication Policy
Some external regulatory research on HealthNet’s industry sector will also be needed for providing compliance and regulatory assessment analysis for the
organization. Keep in mind that while your report will evaluate all of HealthNet’s policies and security measures, you will only select one corporate office to
focus on for state legislation: California (HQ), Illinois, Nevada, Oregon, or Washington State. The larger RFP objective is to provide preliminary recommendations
to HealthNet on notification and escalation improvements, stakeholder identification, and recovery and general remediation for the network. Review the
provided Project Plan Backgrounder document for the expected final report design.
The project is divi.
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
This document provides guidance on organizing security functions within an organization. It discusses establishing security documentation, organizing the security function, and information security practices.
The key points are:
1. Security documentation is organized into three tiers - policy, operational standards, and technical documentation - to provide requirements and guidance. Responsibilities for developing and approving documentation are outlined.
2. The security function should be organized to provide overall planning, coordination, and evaluation of physical, personnel, and IT security. A departmental security officer should coordinate the security program.
3. Information security practices include classifying information, designating personal or sensitive data, and applying minimum safeguards based on the potential harm from compromise or disclosure.
The document is the user's guide for the FFIEC Cybersecurity Assessment Tool. It provides an overview of the tool and guidance for institutions on how to complete the assessment. The assessment consists of two parts - an Inherent Risk Profile to identify inherent cyber risks, and a Cybersecurity Maturity assessment across five domains to determine preparedness levels. It describes how to determine risk levels for inherent risk factors and maturity levels for controls. The goal is to help institutions measure cybersecurity risks and preparedness over time to enhance risk management.
Experion Data Breach Response ExcerptsPeter Henley
The document provides guidance on preparing for and responding to a data breach. It outlines key steps to take within the first 24 hours of discovering a breach, including securing affected systems, documenting details, notifying stakeholders and engaging forensic experts. It emphasizes the importance of having an incident response plan and team in place before a breach occurs to coordinate response efforts. The plan should include guidance for various departments and identify roles for assembling a response team, investigating breaches, notifying affected individuals, and working with external vendors and law enforcement.
During week 6 we develop the theory and application of capital bud.docxjacksnathalie
During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real-world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects.
The assignment for this topic consists if two parts:
1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others.
In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses.
Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed.
2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project analysis failure.
CDC
IT Security Staff BCP Policy
[
CSIA 413,
Professor Last Name:
Policy Document
IT
Business Continuity Plan Policy
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the ...
The document discusses incident management at eHealth Ontario. It defines privacy incidents, security incidents, and privacy breaches. It outlines eHealth Ontario's incident management framework, activities, and metrics. It also discusses developing incident response capabilities, the incident initiation process, and lessons learned around effective incident management.
This document provides a summary of policies for information security at RLK Products. It outlines the job description and qualifications for an Information Assurance/Security Officer who will be responsible for developing and implementing a comprehensive security program. The policies describe requirements for privacy, acceptable use, staff responsibilities, and compliance with regulations. Incident response procedures, risk assessments, training, and an emergency plan are part of maintaining security.
The document provides details about a presentation on risk assessment and internal controls in IT enabled environments. It discusses:
1. How risk assessment involves identifying threats, vulnerabilities, assets, impact, and likelihood to understand risks. Internal controls can then reduce probability of threats or vulnerabilities.
2. Two case studies - how eBay India assessed risks to critical business processes and IT systems, finding sales systems high risk. And for a law firm, case proceeding and client databases were high risk due to data stored.
3. How risk management involves assessing risks, selecting controls, and accepting residual risks, with the goal of supporting business objectives.
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docxjoyjonna282
(
CDC
IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information.
It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise.
Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose
Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or delibera ...
This document provides guidance on determining maintenance strategies for hardware and network servicing. It discusses identifying business risks, types of direct and indirect risks to a business, and the process of risk management. It also outlines steps to conduct a software audit, including taking an inventory, metering application usage, gathering licensing documentation, adjusting license counts, and establishing software policies. Finally, it introduces warranties and service contracts, explaining what they cover and questions to consider about them when determining maintenance needs.
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is an organization that provides data security and network solutions to the state and local government of the US Virgin Islands. An executive summary is much more than just one sentence… Add much more detail here… I suggest you eliminate the executive summary and start with your introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase of implementing a security plan for use within the company. This began what began?? Add more clarity here… by hiring its first Chief Information Security Officer (CISO) for the sole purpose of creating a security program for IT purposes (Scalet, 2006). Initially, the efforts of this plan were focused on obtaining the proper staffing to provide support in the implementation of this plan. It is imperative to understand that the development of an IT Security Program is an ongoing process that is ever-evolving, and a shared responsibility (M.U.S.E., n.d.). By coordinating efforts with local, state, and federal government entities, this plan creates a comprehensive opportunity to address the need for such a plan. Due to the fact that this organization serves a small community, the planning process will mainly rely principally on informal relationships. The formalization of this planning process varies based on the frequency of a particular hazard and its impact on the community.
1.2 Objectives This plan is presented and lists a set of goals for oversight and program implementation.
A. Implement and maintain policies and procedures for data security. B. Implement and maintain procedures to test system resilience.
C. Implement and maintain education for employees regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an external and internal audit will be conducted to determine its competency (Entrepreneurs, 2011). What is the purpose of this section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the strategic plan ...
Business Continuity Management (BCM) involves developing strategies, plans and actions to provide operational and financial protection for a business. It consists of crisis management, business recovery planning, and IT service continuity management. The goal is to resume critical business functions and services to customers in the event of a disruption. BCM aims to stabilize a crisis situation, prepare for recovery operations, and ensure the resumption of critical IT systems, applications, data and networks. It is more than just disaster recovery and includes measures to prevent disasters from occurring.
In this blog, we’ll delve into the importance of cybersecurity incident response planning and provide a guide for building a resilient response strategy.
BUSINESS IMPACT ANALYSIS For the project work, we .docxfelicidaddinwoodie
BUSINESS IMPACT ANALYSIS
For the project work, we would like to choose Health Insurance industry and within the Health insurance industry, we would like to discuss about security governance operations. Following is the organizational chart of key personnel in our company.
Our main asset to protect is our client’s PI Data (Personal Identifiable Data). Data flows in from the client which will be stored in our secured infrastructure and since we are acting as Data custodians, it should be our topmost priority to uphold the CIA (Confidentiality, Integrity and Availability) of the data. For this purpose, we have a set of governing policies that define procedures to follow in case of an incident. This piece of document a.k.a the policy document is nothing but the Incident Response Plan (IRP). Critical business systems that needs to be protected in the event of a significant disruption are customer database which includes personal and financial information of our clients (Whitman, Mattord, & Green, 2013).
In this industry, in case of an incident, it is very important to validate if it is an actual incident or a false alarm. Upon validation that the incident needs to be investigated, a meeting is setup with the relevant stakeholders and the security team to discuss the IRP plan and map the resources. In our industry, the resources are nothing but people who will be responsible for implementing IRP. These resources include roles like Case Manager, Investigation Specialist, Security Analyst, Security Engineers. Apart from these important resources, stakeholders and vendors will also be involved as needed. There are multiple phases in the IRP plan. They are:
1. Validation
2. Analysis
3. Remediation
4. Post-Incident activity/Recovery
5. Lessons learned
In our company, scope of the IRP document constitutes data protection, vendor management, stakeholder regrouping, mitigative control measures.
Validation: Soon after an incident is recorded, this will be the first step where a case manager would receive the case from a party that has reported the incident. He then takes up the case and reviews it and engages with the investigation team. The purpose of investigation team is to validate that the incident has actually happened to ensure that the resources are utilized in an optimal manner. The data from this phase is being fed into the Analysis phase. During the process of investigation, data attributes like the number of records, criticality of the data and parties involved
Analysis: After validating the occurrence of incident, case will be forwarded to a security analyst for a review/analysis. He will dive deep and come up with an action plan on how to handle the incident.
Remediation: During this phase of IRP, involved parties will be contacted to implement the security controls that were proposed by the analysis team. For example, purging the data in case of unauthorized data disclosure. In this case, we ask for deletion logs from th.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
The report recommends that security teams shift their focus from technical assets to protecting critical business processes. It also suggests instituting methods for describing cybersecurity risks to businesses in financial terms and establishing automated, business-centric risk assessment processes. Additionally, the report advises developing the capability to continuously evaluate the effectiveness of security controls through evidence-based methods and informed data collection.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
For our discussion question, we focus on recent trends in security t.pdfalokkesh
For our discussion question, we focus on recent trends in security technologies and security
operations. Staying current with various security tools is an important characteristic of a
proficient security manager. One method to discover new technologies is to attend security
related conferences and network with other security professionals about current and trending best
practices. For your discussion question, choose two relevant and recent physical security
technologies and describe them. As part of your detailed description, provide: 1) Specific
information about the technology\'s function and application; 2) The type of facilities that the
technology would be best suited for; 3) The assets that the technology would best be used to
protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in
which the technology would be integrated with other technologies; 6) The number and type of
personnel that will need to be committed to the operation of the technology; 7) Special
considerations for policies and procedures to fully implement the technology; and 8) A likely
budget needed to implement the technology. If you are impressed with a particular security
technology that your organization uses, share it. Include any relevant hyperlinks and attach any
pictures if applicable. Here are some security categories of technologies that you may select.
Please make sure your posting covers a specific technology rather than a broad category:
Intrusion Detection Screening Technologies Access Control Technologies
Assessment/Surveillance Technologies Communications Technologies Central Control
Technologies Security Lighting Make certain that you do not duplicate another student\'s
contribution. You can select a “different” technology from the same category.
Solution
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies,re expected to be accomplished fr.
100 Original WorkZero PlagiarismGraduate Level Writing Required.docxchristiandean12115
This document provides instructions for a 1,250- to 1,400-word paper that is due on March 6, 2021. Students must choose between the topics of immigration, drug legislation, or three-strikes sentencing. For the selected topic, students must describe how each branch of the US government (executive, legislative, judicial) participates in the policy. The paper must follow APA formatting guidelines and include at least three peer-reviewed literature references, excluding sources like Wikipedia.
10.11771066480704270150THE FAMILY JOURNAL COUNSELING AND THE.docxchristiandean12115
10.1177/1066480704270150THE FAMILY JOURNAL: COUNSELING AND THERAPY FOR COUPLES AND FAMILIES / January 2005Lambert / GAY AND LESBIAN FAMILIES
❖ Literature Review—Research
Gay and Lesbian Families:
What We Know and Where to Go From Here
Serena Lambert
Idaho State University
The author reviewed the research on gay and lesbian parents and
their children. The current body of research has been clear and con-
sistent in establishing that children of gay and lesbian parents are as
psychologically healthy as their peers from heterosexual homes.
However, this comparison approach to research design appears to
have limited the scope of research on gay and lesbian families, leav-
ing much of the experience of these families yet to be investigated.
Keywords: gay men; lesbians; parenting; families
The relationships and family lives of gay and lesbian peo-ple have been the focus of much controversy in the past
decade. The legal and social implications of gay and lesbian
parents appear to have clearly affected the direction that
researchers in the fields of psychology and sociology have
taken in regard to these diverse families. As clinicians, educa-
tors, and researchers, counselors need to be aware of and
involved with issues related to lesbian and gay family life for
several reasons. First, our professional code of ethics charges
us with the ethical responsibility to demonstrate a commit-
ment to gaining knowledge, personal awareness, sensitivity,
and skills significant for working with diverse populations
(American Counseling Association, 1995; International
Association of Marriage and Family Counselors, n.d.). Coun-
selors are also in a unique position to advocate for diverse
clients and families in their communities as well as in their
practices but must possess the knowledge to do so effectively
(Eriksen, 1999). It is believed that work in this area not only
has the potential to affect the lives of our gay and lesbian cli-
ents and their children but also influences developmental and
family theory and informs public policies for the future
(Patterson, 1995, 2000; Savin-Williams & Esterberg, 2000).
This article will review the recent research regarding fami-
lies headed by gay men and lesbians. Studies reviewed in-
clude investigations of gay or lesbian versus homosexual par-
ents, sources of diversity among gay and lesbian parents, and
the personal and sociological development of the children of
gay and lesbian parents. Implications for counselors as well
as directions for future research will also be discussed.
GAY AND LESBIAN PARENTS
How Many Are Out There?
Unfortunately, accurate statistics regarding the numbers
of families headed by gay men and lesbians in our culture are
difficult to determine. Due to fear of discrimination in one or
more aspects of their lives, many gay men and lesbians have
carefully kept their sexual orientation concealed—even from
their own children in some cases (Huggins, 1989). Patterson
(2000) noted that it is es.
More Related Content
Similar to IT 552 Module Five Assignment Rubric The purpose of t.docx
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
This document provides an overview of roles and responsibilities related to information security at RLK Products. It describes job descriptions for key information security roles including the Information Assurance/Security Officer, Risk and Contingency Manager, System Owner, Security Operations Manager, Computer Security Specialist, Telecommunications Specialist, Web Administrator, Database Administrator, Systems Architect, and System Administrator. Each role has specific duties for developing, implementing, and maintaining policies, procedures, training, risk assessments, and technical controls to protect RLK's information systems and data.
ISE 620 Final Project Guidelines and Rubric Overview .docxchristiandean12115
ISE 620 Final Project Guidelines and Rubric
Overview
The final project for this course is the creation of a security posture and response analysis report.
With the explosion of the internet, we are living in a world with no boundaries. Organizations rely on e-commerce as a huge portion of their business models.
With a move to more internet-based commerce and banking, there has been an increase in security threats, network penetrations, and intrusions. Information
systems have inherent weaknesses and can be vulnerable to attacks from internal users, external customers, and anyone intending on malicious activity. This is
why security incident detection and response has become an integral component of information technology programs; businesses and organizations must be
able to handle security incidents effectively and efficiently. To this end, your final project will provide you with the opportunity to report on the detection of and
response to an information security incident of a potential client.
For the final project, imagine that you are a cybersecurity consultant working for Business Secure, a fictitious cybersecurity firm. Business Secure has been
approached by Health Network Inc. (HealthNet), a fictitious health services organization. HealthNet would like Business Secure to develop a request for proposal
(RFP) based on HealthNet’s security needs. To support the creation of this RFP, the practice director has gathered key details from HealthNet and has tasked you
with conducting a review of these materials and formulating your opinions and preliminary recommendations within a security posture and response analysis
report.
To develop this report, you will need to begin by conducting a comprehensive review and evaluation of the Project Plan Backgrounder document, which provides
an overview of the company and details its cyber policies and procedures. With preliminary security assessments already completed and provided to you by the
practice director, you will also review a Nessus scan and Snort report as well as HealthNet’s policies and procedures:
Incident Handling and Response Procedures
Incident Detection and Response Policy
Electronic Password and Authentication Policy
Some external regulatory research on HealthNet’s industry sector will also be needed for providing compliance and regulatory assessment analysis for the
organization. Keep in mind that while your report will evaluate all of HealthNet’s policies and security measures, you will only select one corporate office to
focus on for state legislation: California (HQ), Illinois, Nevada, Oregon, or Washington State. The larger RFP objective is to provide preliminary recommendations
to HealthNet on notification and escalation improvements, stakeholder identification, and recovery and general remediation for the network. Review the
provided Project Plan Backgrounder document for the expected final report design.
The project is divi.
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
This document provides guidance on organizing security functions within an organization. It discusses establishing security documentation, organizing the security function, and information security practices.
The key points are:
1. Security documentation is organized into three tiers - policy, operational standards, and technical documentation - to provide requirements and guidance. Responsibilities for developing and approving documentation are outlined.
2. The security function should be organized to provide overall planning, coordination, and evaluation of physical, personnel, and IT security. A departmental security officer should coordinate the security program.
3. Information security practices include classifying information, designating personal or sensitive data, and applying minimum safeguards based on the potential harm from compromise or disclosure.
The document is the user's guide for the FFIEC Cybersecurity Assessment Tool. It provides an overview of the tool and guidance for institutions on how to complete the assessment. The assessment consists of two parts - an Inherent Risk Profile to identify inherent cyber risks, and a Cybersecurity Maturity assessment across five domains to determine preparedness levels. It describes how to determine risk levels for inherent risk factors and maturity levels for controls. The goal is to help institutions measure cybersecurity risks and preparedness over time to enhance risk management.
Experion Data Breach Response ExcerptsPeter Henley
The document provides guidance on preparing for and responding to a data breach. It outlines key steps to take within the first 24 hours of discovering a breach, including securing affected systems, documenting details, notifying stakeholders and engaging forensic experts. It emphasizes the importance of having an incident response plan and team in place before a breach occurs to coordinate response efforts. The plan should include guidance for various departments and identify roles for assembling a response team, investigating breaches, notifying affected individuals, and working with external vendors and law enforcement.
During week 6 we develop the theory and application of capital bud.docxjacksnathalie
During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real-world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects.
The assignment for this topic consists if two parts:
1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others.
In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses.
Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed.
2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project analysis failure.
CDC
IT Security Staff BCP Policy
[
CSIA 413,
Professor Last Name:
Policy Document
IT
Business Continuity Plan Policy
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the ...
The document discusses incident management at eHealth Ontario. It defines privacy incidents, security incidents, and privacy breaches. It outlines eHealth Ontario's incident management framework, activities, and metrics. It also discusses developing incident response capabilities, the incident initiation process, and lessons learned around effective incident management.
This document provides a summary of policies for information security at RLK Products. It outlines the job description and qualifications for an Information Assurance/Security Officer who will be responsible for developing and implementing a comprehensive security program. The policies describe requirements for privacy, acceptable use, staff responsibilities, and compliance with regulations. Incident response procedures, risk assessments, training, and an emergency plan are part of maintaining security.
The document provides details about a presentation on risk assessment and internal controls in IT enabled environments. It discusses:
1. How risk assessment involves identifying threats, vulnerabilities, assets, impact, and likelihood to understand risks. Internal controls can then reduce probability of threats or vulnerabilities.
2. Two case studies - how eBay India assessed risks to critical business processes and IT systems, finding sales systems high risk. And for a law firm, case proceeding and client databases were high risk due to data stored.
3. How risk management involves assessing risks, selecting controls, and accepting residual risks, with the goal of supporting business objectives.
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docxjoyjonna282
(
CDC
IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information.
It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise.
Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose
Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or delibera ...
This document provides guidance on determining maintenance strategies for hardware and network servicing. It discusses identifying business risks, types of direct and indirect risks to a business, and the process of risk management. It also outlines steps to conduct a software audit, including taking an inventory, metering application usage, gathering licensing documentation, adjusting license counts, and establishing software policies. Finally, it introduces warranties and service contracts, explaining what they cover and questions to consider about them when determining maintenance needs.
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is an organization that provides data security and network solutions to the state and local government of the US Virgin Islands. An executive summary is much more than just one sentence… Add much more detail here… I suggest you eliminate the executive summary and start with your introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase of implementing a security plan for use within the company. This began what began?? Add more clarity here… by hiring its first Chief Information Security Officer (CISO) for the sole purpose of creating a security program for IT purposes (Scalet, 2006). Initially, the efforts of this plan were focused on obtaining the proper staffing to provide support in the implementation of this plan. It is imperative to understand that the development of an IT Security Program is an ongoing process that is ever-evolving, and a shared responsibility (M.U.S.E., n.d.). By coordinating efforts with local, state, and federal government entities, this plan creates a comprehensive opportunity to address the need for such a plan. Due to the fact that this organization serves a small community, the planning process will mainly rely principally on informal relationships. The formalization of this planning process varies based on the frequency of a particular hazard and its impact on the community.
1.2 Objectives This plan is presented and lists a set of goals for oversight and program implementation.
A. Implement and maintain policies and procedures for data security. B. Implement and maintain procedures to test system resilience.
C. Implement and maintain education for employees regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an external and internal audit will be conducted to determine its competency (Entrepreneurs, 2011). What is the purpose of this section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the strategic plan ...
Business Continuity Management (BCM) involves developing strategies, plans and actions to provide operational and financial protection for a business. It consists of crisis management, business recovery planning, and IT service continuity management. The goal is to resume critical business functions and services to customers in the event of a disruption. BCM aims to stabilize a crisis situation, prepare for recovery operations, and ensure the resumption of critical IT systems, applications, data and networks. It is more than just disaster recovery and includes measures to prevent disasters from occurring.
In this blog, we’ll delve into the importance of cybersecurity incident response planning and provide a guide for building a resilient response strategy.
BUSINESS IMPACT ANALYSIS For the project work, we .docxfelicidaddinwoodie
BUSINESS IMPACT ANALYSIS
For the project work, we would like to choose Health Insurance industry and within the Health insurance industry, we would like to discuss about security governance operations. Following is the organizational chart of key personnel in our company.
Our main asset to protect is our client’s PI Data (Personal Identifiable Data). Data flows in from the client which will be stored in our secured infrastructure and since we are acting as Data custodians, it should be our topmost priority to uphold the CIA (Confidentiality, Integrity and Availability) of the data. For this purpose, we have a set of governing policies that define procedures to follow in case of an incident. This piece of document a.k.a the policy document is nothing but the Incident Response Plan (IRP). Critical business systems that needs to be protected in the event of a significant disruption are customer database which includes personal and financial information of our clients (Whitman, Mattord, & Green, 2013).
In this industry, in case of an incident, it is very important to validate if it is an actual incident or a false alarm. Upon validation that the incident needs to be investigated, a meeting is setup with the relevant stakeholders and the security team to discuss the IRP plan and map the resources. In our industry, the resources are nothing but people who will be responsible for implementing IRP. These resources include roles like Case Manager, Investigation Specialist, Security Analyst, Security Engineers. Apart from these important resources, stakeholders and vendors will also be involved as needed. There are multiple phases in the IRP plan. They are:
1. Validation
2. Analysis
3. Remediation
4. Post-Incident activity/Recovery
5. Lessons learned
In our company, scope of the IRP document constitutes data protection, vendor management, stakeholder regrouping, mitigative control measures.
Validation: Soon after an incident is recorded, this will be the first step where a case manager would receive the case from a party that has reported the incident. He then takes up the case and reviews it and engages with the investigation team. The purpose of investigation team is to validate that the incident has actually happened to ensure that the resources are utilized in an optimal manner. The data from this phase is being fed into the Analysis phase. During the process of investigation, data attributes like the number of records, criticality of the data and parties involved
Analysis: After validating the occurrence of incident, case will be forwarded to a security analyst for a review/analysis. He will dive deep and come up with an action plan on how to handle the incident.
Remediation: During this phase of IRP, involved parties will be contacted to implement the security controls that were proposed by the analysis team. For example, purging the data in case of unauthorized data disclosure. In this case, we ask for deletion logs from th.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
The report recommends that security teams shift their focus from technical assets to protecting critical business processes. It also suggests instituting methods for describing cybersecurity risks to businesses in financial terms and establishing automated, business-centric risk assessment processes. Additionally, the report advises developing the capability to continuously evaluate the effectiveness of security controls through evidence-based methods and informed data collection.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
For our discussion question, we focus on recent trends in security t.pdfalokkesh
For our discussion question, we focus on recent trends in security technologies and security
operations. Staying current with various security tools is an important characteristic of a
proficient security manager. One method to discover new technologies is to attend security
related conferences and network with other security professionals about current and trending best
practices. For your discussion question, choose two relevant and recent physical security
technologies and describe them. As part of your detailed description, provide: 1) Specific
information about the technology\'s function and application; 2) The type of facilities that the
technology would be best suited for; 3) The assets that the technology would best be used to
protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in
which the technology would be integrated with other technologies; 6) The number and type of
personnel that will need to be committed to the operation of the technology; 7) Special
considerations for policies and procedures to fully implement the technology; and 8) A likely
budget needed to implement the technology. If you are impressed with a particular security
technology that your organization uses, share it. Include any relevant hyperlinks and attach any
pictures if applicable. Here are some security categories of technologies that you may select.
Please make sure your posting covers a specific technology rather than a broad category:
Intrusion Detection Screening Technologies Access Control Technologies
Assessment/Surveillance Technologies Communications Technologies Central Control
Technologies Security Lighting Make certain that you do not duplicate another student\'s
contribution. You can select a “different” technology from the same category.
Solution
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies,re expected to be accomplished fr.
Similar to IT 552 Module Five Assignment Rubric The purpose of t.docx (20)
100 Original WorkZero PlagiarismGraduate Level Writing Required.docxchristiandean12115
This document provides instructions for a 1,250- to 1,400-word paper that is due on March 6, 2021. Students must choose between the topics of immigration, drug legislation, or three-strikes sentencing. For the selected topic, students must describe how each branch of the US government (executive, legislative, judicial) participates in the policy. The paper must follow APA formatting guidelines and include at least three peer-reviewed literature references, excluding sources like Wikipedia.
10.11771066480704270150THE FAMILY JOURNAL COUNSELING AND THE.docxchristiandean12115
10.1177/1066480704270150THE FAMILY JOURNAL: COUNSELING AND THERAPY FOR COUPLES AND FAMILIES / January 2005Lambert / GAY AND LESBIAN FAMILIES
❖ Literature Review—Research
Gay and Lesbian Families:
What We Know and Where to Go From Here
Serena Lambert
Idaho State University
The author reviewed the research on gay and lesbian parents and
their children. The current body of research has been clear and con-
sistent in establishing that children of gay and lesbian parents are as
psychologically healthy as their peers from heterosexual homes.
However, this comparison approach to research design appears to
have limited the scope of research on gay and lesbian families, leav-
ing much of the experience of these families yet to be investigated.
Keywords: gay men; lesbians; parenting; families
The relationships and family lives of gay and lesbian peo-ple have been the focus of much controversy in the past
decade. The legal and social implications of gay and lesbian
parents appear to have clearly affected the direction that
researchers in the fields of psychology and sociology have
taken in regard to these diverse families. As clinicians, educa-
tors, and researchers, counselors need to be aware of and
involved with issues related to lesbian and gay family life for
several reasons. First, our professional code of ethics charges
us with the ethical responsibility to demonstrate a commit-
ment to gaining knowledge, personal awareness, sensitivity,
and skills significant for working with diverse populations
(American Counseling Association, 1995; International
Association of Marriage and Family Counselors, n.d.). Coun-
selors are also in a unique position to advocate for diverse
clients and families in their communities as well as in their
practices but must possess the knowledge to do so effectively
(Eriksen, 1999). It is believed that work in this area not only
has the potential to affect the lives of our gay and lesbian cli-
ents and their children but also influences developmental and
family theory and informs public policies for the future
(Patterson, 1995, 2000; Savin-Williams & Esterberg, 2000).
This article will review the recent research regarding fami-
lies headed by gay men and lesbians. Studies reviewed in-
clude investigations of gay or lesbian versus homosexual par-
ents, sources of diversity among gay and lesbian parents, and
the personal and sociological development of the children of
gay and lesbian parents. Implications for counselors as well
as directions for future research will also be discussed.
GAY AND LESBIAN PARENTS
How Many Are Out There?
Unfortunately, accurate statistics regarding the numbers
of families headed by gay men and lesbians in our culture are
difficult to determine. Due to fear of discrimination in one or
more aspects of their lives, many gay men and lesbians have
carefully kept their sexual orientation concealed—even from
their own children in some cases (Huggins, 1989). Patterson
(2000) noted that it is es.
10.11771066480703252339 ARTICLETHE FAMILY JOURNAL COUNSELING.docxchristiandean12115
10.1177/1066480703252339 ARTICLETHE FAMILY JOURNAL: COUNSELING AND THERAPY FOR COUPLES AND FAMILIES / July 2003Fall, Lyons / ETHICAL CONSIDERATIONS
❖ Ethics
Ethical Considerations of Family Secret
Disclosure and Post-Session Safety Management
Kevin A. Fall
Christy Lyons
Loyola University—New Orleans
The ethical issues involved in the disclosure of family secrets in ther-
apy have been addressed in the literature, but the focus has typically
been on secrets disclosed in individual sessions. The literature
largely ignores the ethical issues surrounding in-session disclosure
and the concomitant liability of the family therapist for the post-ses-
sion well-being of the system’s members. This article explores types
of family secrets, provides a case example of in-session disclosure,
and presents ethical considerations and practice recommendations.
Keywords: family secrets; ethics; confidentiality; abuse; safety
A
family without secrets is like a two-year-old without
tantrums: a rarity. Virtually every family has secrets
involving academic problems, relationship dynamics, or even
various illegalities. Secrets permeate the family system
before therapy begins, but with the introduction of the thera-
pist, the system begins to change. The therapist ideally creates
an environment that challenges the boundaries and rules of
the system; this is the nature of therapy. As a result of the
sense of safety within the session, it is conceivable that a fam-
ily member may disclose information that has been hidden for
a wide variety of reasons. Any unearthing of hidden material
will create a disequilibrium within the system. Family thera-
pists are trained to handle the consequences of such a disclo-
sure in session and ethically lay the groundwork for timely
disclosures. Dealing with this disclosure and its impact on the
system often becomes the primary focus of the therapy, as the
perturbation caused by the disclosure can serve as a catalyst to
reorganize the system.
However, not all information is disclosed at the “perfect
time.” In fact, the idiosyncratic internal sensing of safety by
any member of the family may trigger a disclosure prema-
turely. Secrets are such an omnipresent dynamic in the life of
family systems that it seems unlikely that any family therapist
could avoid untimely disclosures. Even in these unpredict-
able moments, a disclosure creates a disequilibrium that can
be productive in the therapy process as the secret and the pro-
cess of maintaining the secret are worked through in an
atmosphere of trust and safety. The ethical question here is
two-fold: What is the therapist’s responsibility in preparing
the family members for the potential risks of counseling that
may arise from such disclosures, and what is the responsibil-
ity of the family therapist to maintain the safety of the mem-
bers after a disclosure?
Although the International Association of Marriage and
Family Counselors’ (IAMFC).
10.11770022427803260263ARTICLEJOURNAL OF RESEARCH IN CRIME AN.docxchristiandean12115
This document summarizes competing theories on whether the perceived risk of punishment deters criminally prone individuals from committing crimes. It discusses three main perspectives: 1) that all individuals are equally deterred regardless of criminal propensity, 2) that criminally prone individuals are less deterred due to their impulsivity and focus on immediate gratification, and 3) that criminally prone individuals are more deterred since socialized individuals act based on moral obligations rather than costs/benefits. The article then analyzes data from a longitudinal study in New Zealand to test the relationship between criminal propensity, perceived punishment risks, and criminal behavior.
10.11770022487105285962Journal of Teacher Education, Vol. 57,.docxchristiandean12115
10.1177/0022487105285962Journal of Teacher Education, Vol. 57, No. XX, XXX/XXX 2006Journal of Teacher Education, Vol. 57, No. XX, XXX/XXX 2006
CONSTRUCTING 21st-CENTURY TEACHER EDUCATION
Linda Darling-Hammond
Stanford University
Much of what teachers need to know to be successful is invisible to lay observers, leading to the view
that teaching requires little formal study and to frequent disdain for teacher education programs. The
weakness of traditional program models that are collections of largely unrelated courses reinforce this
low regard. This article argues that we have learned a great deal about how to create stronger, more ef-
fective teacher education programs. Three critical components of such programs include tight coher-
ence and integration among courses and between course work and clinical work in schools, extensive
and intensely supervised clinical work integrated with course work using pedagogies linking theory
and practice, and closer, proactive relationships with schools that serve diverse learners effectively
and develop and model good teaching. Also, schools of education should resist pressures to water
down preparation, which ultimately undermine the preparation of entering teachers, the reputation
of schools of education, and the strength of the profession.
Keywords: field-based experiences; foundations of education; student teaching; supervision; theo-
ries of teacher education
The previous articles have articulated a spectac-
ular array of things that teachers should know
and be able to do in their work. These include
understanding many things about how people
learn and how to teach effectively, including as-
pects of pedagogical content knowledge that in-
corporate language, culture, and community
contexts for learning. Teachers also need to un-
derstand the person, the spirit, of every child
and find a way to nurture that spirit. And they
need the skills to construct and manage class-
room activities efficiently, communicate well,
use technology, and reflect on their practice to
learn from and improve it continually.
The importance of powerful teaching is
increasingly important in contemporary soci-
ety. Standards for learning are now higher than
they have ever been before, as citizens and
workers need greater knowledge and skill to
survive and succeed. Education is increasingly
important to the success of both individuals and
nations, and growing evidence demonstrates
that—among all educational resources—teach-
ers’ abilities are especially crucial contributors
t o s t u d e n t s ’ le a r n i n g . F u r t h e r m o re , t h e
demands on teachers are increasing. Teachers
need not only to be able to keep order and pro-
vide useful information to students but also to
be increasingly effective in enabling a diverse
group of students to learn ever more complex
material. In previous decades, they were
expected to prepare only a small minority for
ambitious intellectual work, whereas they are
now expected to prep.
10.1 What are three broad mechanisms that malware can use to propa.docxchristiandean12115
10.1 What are three broad mechanisms that malware can use to propagate?
10.2 What are four broad categories of payloads that malware may carry?
10.3 What are typical phases of operation of a virus or worm?
10.4 What mechanisms can a virus use to conceal itself?
10.5 What is the difference between machine-executable and macro viruses?
10.6 What means can a worm use to access remote systems to propagate?
10.7 What is a “drive-by-download” and how does it differ from a worm?
10.8 What is a “logic bomb”?
10.9 Differentiate among the following: a backdoor, a bot, a keylogger, spyware, and a rootkit? Can they all be present in the same malware?
10.10 List some of the different levels in a system that a rootkit may use.
10.11 Describe some malware countermeasure elements.
10.12 List three places malware mitigation mechanisms may be located.
10.13 Briefly describe the four generations of antivirus software.
10.14 How does behavior-blocking software work?
10.15 What is a distributed denial-of-service system?
.
10.0 ptsPresentation of information was exceptional and included.docxchristiandean12115
10.0 pts
Presentation of information was exceptional and included all of the following elements: Identifies the role of concept analysis within theory development. Identifies the selected nursing concept. Identifies the nursing theory from which the selected concept was obtained. A nursing theory was used. Identifies the sections of the paper. Scholarly support from nursing literature was provided.
9.0 pts
Presentation of information was good, but was superficial in places and included all of the following elements: Identifies the role of concept analysis within theory development. Identifies the selected nursing concept. Identifies the nursing theory from which the selected concept was obtained. A nursing theory was used. Identifies the sections of the paper. Scholarly support from nursing literature was provided.
8.0 pts
Presentation of information was minimally demonstrated in the all of the following elements: Identifies the role of concept analysis within theory development. Identifies the selected nursing concept. Identifies the nursing theory from which the selected concept was obtained. A nursing theory was used. Identifies the sections of the paper. Limited scholarly support from nursing literature was provided.
4.0 pts
Presentation of information in one or two of the following elements fails to meet expectations: Identifies the role of concept analysis within theory development. Identifies the selected nursing concept. Identifies the nursing theory from which the selected concept was obtained. A nursing theory was used. Identifies the sections of the paper. Limited or no scholarly support from nursing literature was provided.
0.0 pts
Presentation of information is unsatisfactory in three or more of the following elements: Identifies the role of concept analysis within theory development. Identifies the selected nursing concept. Identifies the nursing theory from which the selected concept was obtained. A nursing theory was used. Identifies the sections of the paper. Limited or no scholarly support from nursing literature was provided.
10.0 pts
This criterion is linked to a Learning Outcome Definition/Explanation of Selected Concept
25.0 pts
Presentation of information was exceptional and included all of the following elements: Defines/explains the concept using scholarly literature (a dictionary maybe used for this section ONLY, and additional scholarly nursing references are required). Provides support from scholarly sources.
22.0 pts
Presentation of information was good, but was superficial in places and included all of the following elements: Defines/explains the concept using scholarly literature (a dictionary maybe used for this section ONLY, and additional scholarly nursing references are required). Provides support from scholarly sources.
20.0 pts
Presentation of information was minimally demonstrated in the all of the following elements: Defines/explains the concept using scholarly literature (a dictionary maybe used for thi.
10-K
1
f12312012-10k.htm
10-K
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, DC 20549
FORM 10-K
(Mark One)
R
Annual report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the fiscal year ended December 31, 2012
or
o
Transition report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from __________ to __________
Commission file number 1-3950
Ford Motor Company
(Exact name of Registrant as specified in its charter)
Delaware
38-0549190
(State of incorporation)
(I.R.S. Employer Identification No.)
One American Road, Dearborn, Michigan
48126
(Address of principal executive offices)
(Zip Code)
313-322-3000
(Registrant’s telephone number, including area code)
Securities registered pursuant to Section 12(b) of the Act:
Title of each class
Name of each exchange on which registered*
Common Stock, par value $.01 per share
New York Stock Exchange
__________
* In addition, shares of Common Stock of Ford are listed on certain stock exchanges in Europe.
Securities registered pursuant to Section 12(g) of the Act: None.
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes R No o
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes o No R
Indicate by check mark if the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes R No o
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). Yes R No o
Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K (§229.405 of this chapter) is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. R
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See definitions of "large accelerated filer," "accelerated filer," and "smaller reporting company" in Rule 12b-2 of the Exchange Act. Large accelerated filer R Accelerated filer o Non-accelerated filer o Smaller reporting company o
Indicate by check mark whether the registra.
10-K 1 f12312012-10k.htm 10-K UNITED STATESSECURITIES AN.docxchristiandean12115
10-K 1 f12312012-10k.htm 10-K
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, DC 20549
FORM 10-K
(Mark One)
R Annual report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the fiscal year ended December 31, 2012
or
o Transition report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from __________ to __________
Commission file number 1-3950
Ford Motor Company
(Exact name of Registrant as specified in its charter)
Delaware 38-0549190
(State of incorporation) (I.R.S. Employer Identification No.)
One American Road, Dearborn, Michigan 48126
(Address of principal executive offices) (Zip Code)
313-322-3000
(Registrant’s telephone number, including area code)
Securities registered pursuant to Section 12(b) of the Act:
Title of each class Name of each exchange on which registered*
Common Stock, par value $.01 per share New York Stock Exchange
__________
* In addition, shares of Common Stock of Ford are listed on certain stock exchanges in Europe.
Securities registered pursuant to Section 12(g) of the Act: None.
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
Yes R No o
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act.
Yes o No R
Indicate by check mark if the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities
Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such
reports), and (2) has been subject to such filing requirements for the past 90 days. Yes R No o
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any,
every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this
Page 1 of 216F 12.31.2012- 10K
3/7/2019https://www.sec.gov/Archives/edgar/data/37996/000003799613000014/f12312012-10k.htm
chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such
files). Yes R No o
Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K (§229.405 of this chapter)
is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information
statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. R
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a
smaller reporting company. See definitions of "large accelerated filer," "accelerated filer," and "smaller reporting company" in
Rule 12b-2 of the Exchange Act. Large accelerated filer R Accelerated filer .
10 What does a golfer, tennis player or cricketer (or any othe.docxchristiandean12115
10 What does a golfer, tennis player or cricketer (or any other professional sportsperson) focus on to achieve high performance? They nearly always give the same answer: “Repeat my process (that is the process they have practised a million times) – replicate it under real pressure and trust in my ability” That’s why Matthew Lloyd throws the grass up under the roof at Etihad Stadium. It is why Ricky Ponting taps the bat, looks down,
looks up and mouths “watch the ball”. It’s
unnecessary for Matthew Lloyd to toss the
grass. There’s no wind under the roof – it’s
simply a routine that enables him to replicate
his process under pressure.
Ricky Pointing knows you have to watch the
ball. Ponting wants the auto pilot light in his
brain to fl ick on as he mutters “watch the ball”.
High performance in sport is achieved through focusing on your
processes, not the scores.
It is absolutely no different in local government. Our business
is governance and we need to be focusing very hard on our
governance processes. We need to learn these processes, modify
them when necessary, understand them deeply, repeat them
under pressure and trust in our capabilities to deliver. If we do
that, the scores will look after themselves.
I want to share with you my ten most important elements in
the governance process. Let me fi rst say that good governance is
the set of processes, protocols, rules, relationships and behaviours
which lead to consistently good decisions. In the end good
governance is good decisions. You could make lots of good
decisions without good governance. But you will eventually
run out of luck – eventually, bad governance process will lead
to bad decisions. Consistently good decisions come from good
governance processes and practices.
Good governance is not only a prerequisite for consistently
good decisions, it is almost the sole determinant of your
reputation. The way you govern, the ‘vibe’ in the community
and in the local paper about the way you govern is almost the
sole determinant of your reputation. Believe me, if reputation
matters to you, then drive improvements through good
governance.
So here are the ten core elements:
1. THE COUNCIL PLAN
An articulate council plan is a fundamental fi rst step to achieving
your goals. It is your set of promises to your community for a
four-year term.
Unfortunately, there are too many wrong plans:
• Claytons Plans – say too little and are too bland. Delete the
name of the council from these plans and you can’t tell whose
it is! There’s no ‘vibe’ at all.
• Agreeable Plans – where everyone gets their bit in the plan.
There’s no sense of priorities, everyone agrees with everything
in the plan and we save all the real fi ghts and confl icts to be
fought out one by one over the four-year term.
• Opposition-creating Plans – we don’t do this so often but we
sometimes ‘use the numbers’ to enable the dominant group of
councillors to achieve their goals and fail to a.
10 Research-Based Tips for Enhancing Literacy Instruct.docxchristiandean12115
10 Research-Based Tips
for Enhancing Literacy
Instruction for Students
With Intellectual
Disability
Christopher J. Lemons, Jill H. Allor, Stephanie Al Otaiba,
and Lauren M. LeJeune
Literacy
T
E
A
C
H
IN
G
E
xc
ep
ti
on
al
C
h
il
d
re
n
,
V
ol
.
49
,
N
o.
1
,
p
p
.
18
–3
0.
C
op
yr
ig
h
t
20
16
T
h
e
A
u
th
or
(s
).
D
O
I:
1
0.
11
77
/0
04
00
59
91
66
62
20
2
by guest on October 20, 2016tcx.sagepub.comDownloaded from
http://tcx.sagepub.com/
TEACHING EXCEPTIONAL CHILDREN | SEPTEMBER/OCTOBER 2016 19
In the past 2 decades, researchers
(often working closely with parents,
teachers, and other school staff
members) have conducted studies that
have substantially increased
understanding how to effectively teach
children and adolescents with
intellectual disability (ID) to read. This
research focus has been fueled by
increased societal expectations for
individuals with ID, advocacy efforts,
and legislative priorities (e.g.,
strengthened accountability standards).
Findings from this body of work
indicate that children and adolescents
with ID can obtain higher levels of
reading achievement than previously
anticipated (Allor, Mathes, Roberts,
Cheatham, & Al Otaiba, 2014). Recent
research also suggests that the historic
focus on functional reading (e.g., signs,
restaurant words) for this population of
learners is likely too limited of a focus
for many (Browder et al., 2009).
Research outcomes suggest that
integrating components of traditional
reading instruction (e.g., phonics,
phonemic awareness) into programs
for students with ID will lead to
increases in independent reading skills
for many (Allor, Al Otaiba, Ortiz, &
Folsom, 2014). These increased reading
abilities are likely to lead to greater
postsecondary outcomes, including
employment, independence, and
quality of life. Unfortunately, many
teachers remain unsure of how to best
design and deliver reading intervention
for students with ID.
We offer a set of 10 research-based
tips for special education teachers,
general education teachers, and other
members of IEP teams to consider when
planning literacy instruction for students
with ID in order to maximize student
outcomes. For each tip, we describe our
rationale for the recommendation and
provide implementation guidance. Our
Literacy Instruction and Support
Planning Tool can be used by team
members to organize information to
guide planning. Our aim is to provide
educators and IEP team members with a
framework for reflecting on current
reading practices in order to make
research-based adjustments that are
likely to improve student outcomes.
The Conceptual Model of Literacy
Browder and colleagues (2009) proposed
a conceptual model for early literacy
instruction for students with severe
developmental disabilities. We believe
their framework provides guidance for
designing and delivering literacy
instruction for all students wit.
10 Strategic Points for the Prospectus, Proposal, and Direct Pract.docxchristiandean12115
10 Strategic Points for the Prospectus, Proposal, and Direct Practice Improvement Project
Week Two Assignment Instructions DNP 820
Please read the instructions thoroughly
Tutor MUST have a good command of the English language
The Rubric must be followed, and all the requirements met
This is a thorough professor, and she has strict requirements
I have attached the PICOT and the first 10 points (DNP 815) assignment. This is a continuation of that assignment. Please read the attachments
The following needs to be addressed:
Please note the followings: The introduction and the literature review are complete and thorough. The problem statement is written clearly PICOT is clear and very good Sample:
· How will you determine the sample size?
· What are the inclusion/exclusion criteria of the subjects? Methodology: Why is the selected methodology is appropriate? Please justify!
· Data collection approach needs to be clear. How will you collect your data? What is needed here is to describe the process of collecting data form signing the informed consent until completing the measuring.
· Data analysis-What test will you use to answer your research question?
Clinical/PICOT Questions:
“In adult patients with CVC at a Clear Lake Regional Medical Center, does interventional staff education about hub hygiene provided to RN’s who access the CVC impact CLABSI rates compared to standard care over a one-month period?”
P: Patients with Central Venous Catheters
I: Staff re-education related to Hygiene of the hub
C: Other hospitals
O: Reduce probability of CLABSIs
T: Two months
“In Patients > 65 years of age with central line catheters at a Clear Lake Regional Medical Center, how does staff training of key personnel and reinforcement of central line catheter hub hygiene after its insertion, along with the apt cleansing of the insertion site, before every approach compared with other area hospitals, reduce the incidence of CLABSIs (Central Line Associated Blood-stream Infections) over a one-month period?”
P: Patients > 65 years of age with a Central line
I: Staff training and reinforcement of Central Catheter, Hub Hygiene
C: Other area hospitals
O: Reduce probability of CLABSIs
“In adult patients, with define CVC (CVC), does interventional staff education about hub hygiene provided to RN’s who access the CVC impact CLABSI rates compared to pre and post-intervention assessments
1. I used central Missouri as an example, replace with a description of your site.
2. While you might be interested in CLASBI rates as a primary variable, there are other patient outcomes that would also be important to consider
3. Ensure you can find validity and reliability measures on CLASBI rates if you cannot, we need to determine another question to help
4. How are your two comparison groups different, as they are currently stated the groups seem very much the same, could you state, standard care instead of pre and post intervention assessments?
5. One month is the longe.
10 Most Common Errors in Suicide Assessment/Intervention
Robert Neimeyer & Angela Pfeiffer
1. Avoidance of Strong Feelings – Diverting discussions away from powerful, intense
emotion and toward a more abstract or intellectualized exchange. These responses keep
interactions on a purely cognitive level and prevent exploration of the more profound
feelings of distress, which may hold the key to successful treatment. Do not retreat to
professionalism, advice-giving, or passivity when faced with intense depression, grief, or
fear.
• Do not analyze and ask why they feel that way.
• USE empathy! “With all the hurt you’ve been experiencing it must be impossible
to hold those tears in.”
• Tears and sobbing are often met with silence of tangential issues instead of
putting into words what the client is mutely expressing: “With all the pain you’re
feeling, it must be impossible to hold those tears in.”
• “I don’t think anyone really cares whether I live or die.” Helpers often shift to
discussing why/asking questions as opposed to reflecting emotional content.
2. Superficial Reassurance – trivial responses to clients’ expressions of acute distress and
hopelessness can do more harm than good. Rather than reassuring clients, these responses
risk alienating them and deepening their feelings of being isolated in their distress.
• Attempts to emphasize more positive or optimistic aspects of the situation: “But
you’re so young and have so much to live for!”
• Premature offering of a prepackaged meaning for the client’s difficulties: “Well
life works in mysterious ways. Maybe this is life’s way of challenging you.”
• Directly contradicting the client’s protest of anguish: “Things can’t be all that
bad.”
3. Professionalism – Insulating or protecting by distancing and detaching from the brutal,
exhausting realities of clients’ lives by seeking refuge in the comfortable boundaries of role
definition. The exaggerated air of objectivity/disinterest implies a hierarchical relationship,
which may disempower the client. Although intended to put a person at ease, this can come
across as disinterest or hierarchical. Empathy is a more facilitative response.
• “My thoughts are so awful I could never tell anyone” is often met with, “You can
tell me. I’m a professional” as opposed to the riskier, empathic reply.
4. Inadequate Assessment of Suicidal Intent – Implicit negation of suicide threat by
responding to indirect and direct expressions of risk with avoidance or reassurance rather
than a prompt assessment of the level of intent, planning, and lethality. Most common
among physicians and master’s level counselors – due to time pressures, personal theories
or discomfort with intense feelings.
• What they’ve been thinking, For how long, Specific plans/means, Previous
attempts
1
• “There’s nowhere left to turn” and “I’d be better off dead” should be met with
“You sound so miserable. Are y.
10 Customer Acquisition and Relationship ManagementDmitry .docxchristiandean12115
10 Customer Acquisition and Relationship Management
Dmitry Kalinovsky/iStock/Thinkstock
Patronage by loyal customers yields 65 percent of a typical business’ volume.
—American Management Association
Learning Objectives
After reading this chapter, you should be able to do the following:
• Identify how organizational growth is best achieved by an HCO, and state the effect of the product life cycle
on an organization’s revenues.
• Discuss several approaches that an HCO can use to attract new customers, or patients.
• Delineate the premises upon which customer relationship management is based.
• Explain the advantages of database marketing, and identify ways for an organization to use a marketing
database.
• Provide examples of how an HCO can effectively manage real and virtual customer interactions.
Section 10.1Organizational Growth
Introduction
This chapter focuses on how to attract and keep patients through understanding and meeting
their needs. The long-term success of an HCO depends on its ability to attract new patients
and turn them into loyal customers who not only return for needed services, but recommend
the HCO’s services to others. This is especially important because of the nature of the life cycle
for products and services, from their introduction to their decline. Attracting new customers
and keeping existing ones involves interacting internally and externally with patients, analyz-
ing data on current patients, and managing real and virtual interactions with patients. Manag-
ing relationships with patients helps to ensure that patients stay informed and feel connected
to the HCO through its internal and external customer relationship efforts.
10.1 Organizational Growth
Most organizations have growth as a basic goal. Growth means an increase in revenue and
a greater impact on the communities served. Growth also creates opportunities for staff to
advance and take on new responsibilities. While many activities can help an HCO grow, the
most important is the development of an effective marketing plan to provide a consistent
platform for the organization’s visibility and to brand the HCO as an attractive option for
medical services. The development of an effective marketing plan was stressed in Chapter 8
as a basic marketing need for an HCO: that is, to inform new and existing customers of the
organization’s services and to persuade them to continue using or to try using these services.
Product/Service Life Cycles
Like people, products and services have a life cycle. The term product life cycle refers to the
stages that a product or service goes through from the time it is introduced until it is taken
off the market or “dies.” The stages of the product life cycle, illustrated in Figure 10.1, usually
include the following descriptions:
• Introduction—The stage of researching, developing, and launching the product or
service.
• Growth—The stage when revenues are increasing at a fast rate.
• M.
10 ELEMENTS OF LITERATURE (FROM A TO Z) 1 PLOT (seri.docxchristiandean12115
10 ELEMENTS OF LITERATURE (FROM A TO Z)
1 PLOT (series of events which make-up a story)
A 5-POINT PLOT SEQUENCE:
Exposition: initial part of a story where readers are exposed to setting and characters.
Situation: event in the story which kicks the action forward and begs for an outcome.
Complication: difficulties faced by characters as they experience internal and external conflicts.
Climax: watershed moment when it becomes apparent that major conflicts will be resolved.
Resolution: (Denouement): tying up of the loose ends of the story.
B SUB-PLOTS: PLOTS BENEATH AND AROUND THE MAJOR PLOT.
Foreshadowing: hints and clues of plot.
Flashback: portion of a plot when a character relives a past experience.
Frame story: plot which begins in the present, quickly goes to the past for story, then returns.
Episodic plot: a large plot sequence that is made up of a series of minor plot sequences.
Plausibility: likelihood that certain events within a plot can occur.
Soap Opera: multiple stories told along the sequence and spaced to sustain continual interest.
2 POINT OF VIEW (eyes through which a story is told)
C First Person major (participant major): narrator is the major character in the story.
First Person minor (participant minor): narrator is a minor character in the story.
Third Person omniscient (non-participant omniscient): narrator is outside the story and capable of
seeing into the heart, mind and motivations of all characters.
Third Person limited (non-participant limited): narrator is outside the story and capable of seeing, at
most, into the heart, mind, and motivations of one character. Narrator is
objective if not omniscient.
3 SETTING (time and place of a story, both physical and psychological)
D Physical (external) Setting: the time and place of a story, general and specific.
Psychological (internal) Setting: mood, tone, and temper of story.
E Major Tempers: Romanticism: man is free to choose against moral, spiritual backdrops. If you make
good decisions, you will be rewarded. There is a God that is in control
Existentialism: man is free to choose absent backdrops other than his own. If he feels it is right, then it is
right.
Naturalism: man is largely trapped, a cog in the impersonal machinery. He has no real way of
changing his circumstances.
Realism: eclectic view, but leaning toward the naturalistic position. Sometimes good things happen to
bad people, and sometimes bad things happen to good people. That is just the way it is.
F Other Tempers: Classicism: Man is free, but appears to be trapped due to conflicting codes.
Transcendentalism: Offshoot of romanticism, nature is a window to divine.
Nihilism: Fallout of either extreme existentialism or naturalism. Life is horrible and painful. It
lacks meaning.
4 CONFLICT (nature of the problems faced)
G Four Universal Conflicts: Person versus self
Pe.
10 ers. Although one can learn definitions favor- able to .docxchristiandean12115
10
ers. Although one can learn definitions favor-
able to crime from law-abiding individuals,
one is most likely to learn such definitions
fiom delinquent friends or criminal family
A Theory of sociation members. with These delinquent studies typically others find is the that best as-
Differential predictor of crime, and that these delinquent others partly influence crime by leading the
individual to adopt beliefs conducive to
Association crime (see Agnew, 2000; Akers, 1998; Akers and Sellers, 2004; Waw, 2001 for summaries
of such studies).
Sutherland 's theory has also inspired
Edwin H. Sutherland dnd much additional theorizing in criminology.
Theorists have attempted to better describe
Donald R. Cressey the nature ofthose definitions favorable to vi-
olation of the law (see the next selection in
Chapter 11 by Sykes and Matza). They have
Before Sutherland developed his theory, attempted to better describe the processes by
crime was usually explained in t e r n ofmul- which we learn criminal behavior from oth-
tiple factors-like social class, broken homes, ers (see the description o f social learning the-
age, race, urban or rural location, and mental ory by Akers in Chapter 12). And they have
disorder. Sutherland developed his theory of drawn on Sutherland in an effort to explain
differential association in an effort to explain group differences in crime rates (see the Wolf-
why these various factors were related to gang and Ferracuti and Anderson selections
crime. In doing so, he hoped to organize and in this part). Sutherland's theory o f differen-
integrate the research on crime u p to that tial association, then, is one of the enduring
point, as well as to guide future research. classics in criminology (for excellent discus-
Sutherlandk theory is stated in the f o m o f sions ofthe current state o f differential asso-
nine propositions. He argues that criminal ciation theory, see Matsueda, 1988, and Waw,
behavior is learned by interacting with oth- 2001).
ers, especially intimate others. Criminals
learn both the techniques of committing
crime and the definitions favorable to crime References
from these others. The s k t h proposition> Agnew Robe*. '2000. "Sources of Mminality:
which f o r n the heart of the theory, states Strain and Subcultural Theories." In Joseph F.
that 'h person becomes delinquent because of Sheley (ed.), Criminology: A Contemporary ,
an excess of definitions favorable to law vio- Handbook, 3rd edition, pp. 349-371. Belmont,
lation over definitions unfavorable to viola- CA: Wadsworth.
tion oflaw."According to Sutherland, factors Akers, Ronald L. 1998. Social Learning and So-
such as social class, race, and broken homes cia1 Structure: A General Theory of Crime and
influence crime because they affect the likeli- Deviance. Boston: Northeastern University
hood that individuals willdssociate with oth- Press.
ers who present definitions favorable to Akers, Ronal.
10 academic sources about the topic (Why is America so violent).docxchristiandean12115
10 academic sources about the topic (Why is America so violent?)
*Address all 10 academic sources in the literature review
*What have they added to the literature?
*End literature review with "What has not been addressed is.... "and with "What I'm Addressing....." (I am addressing that overpopulation is the main reason America is so violent).
*Literature review should be a minimum of 2-2 1/2 pages
Attached are my 10 academic sources.
.
🔥🔥🔥🔥🔥🔥🔥🔥🔥
إضغ بين إيديكم من أقوى الملازم التي صممتها
ملزمة تشريح الجهاز الهيكلي (نظري 3)
💀💀💀💀💀💀💀💀💀💀
تتميز هذهِ الملزمة بعِدة مُميزات :
1- مُترجمة ترجمة تُناسب جميع المستويات
2- تحتوي على 78 رسم توضيحي لكل كلمة موجودة بالملزمة (لكل كلمة !!!!)
#فهم_ماكو_درخ
3- دقة الكتابة والصور عالية جداً جداً جداً
4- هُنالك بعض المعلومات تم توضيحها بشكل تفصيلي جداً (تُعتبر لدى الطالب أو الطالبة بإنها معلومات مُبهمة ومع ذلك تم توضيح هذهِ المعلومات المُبهمة بشكل تفصيلي جداً
5- الملزمة تشرح نفسها ب نفسها بس تكلك تعال اقراني
6- تحتوي الملزمة في اول سلايد على خارطة تتضمن جميع تفرُعات معلومات الجهاز الهيكلي المذكورة في هذهِ الملزمة
واخيراً هذهِ الملزمة حلالٌ عليكم وإتمنى منكم إن تدعولي بالخير والصحة والعافية فقط
كل التوفيق زملائي وزميلاتي ، زميلكم محمد الذهبي 💊💊
🔥🔥🔥🔥🔥🔥🔥🔥🔥
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
This presentation was provided by Racquel Jemison, Ph.D., Christina MacLaughlin, Ph.D., and Paulomi Majumder. Ph.D., all of the American Chemical Society, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
Temple of Asclepius in Thrace. Excavation resultsKrassimira Luka
The temple and the sanctuary around were dedicated to Asklepios Zmidrenus. This name has been known since 1875 when an inscription dedicated to him was discovered in Rome. The inscription is dated in 227 AD and was left by soldiers originating from the city of Philippopolis (modern Plovdiv).
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...indexPub
The recent surge in pro-Palestine student activism has prompted significant responses from universities, ranging from negotiations and divestment commitments to increased transparency about investments in companies supporting the war on Gaza. This activism has led to the cessation of student encampments but also highlighted the substantial sacrifices made by students, including academic disruptions and personal risks. The primary drivers of these protests are poor university administration, lack of transparency, and inadequate communication between officials and students. This study examines the profound emotional, psychological, and professional impacts on students engaged in pro-Palestine protests, focusing on Generation Z's (Gen-Z) activism dynamics. This paper explores the significant sacrifices made by these students and even the professors supporting the pro-Palestine movement, with a focus on recent global movements. Through an in-depth analysis of printed and electronic media, the study examines the impacts of these sacrifices on the academic and personal lives of those involved. The paper highlights examples from various universities, demonstrating student activism's long-term and short-term effects, including disciplinary actions, social backlash, and career implications. The researchers also explore the broader implications of student sacrifices. The findings reveal that these sacrifices are driven by a profound commitment to justice and human rights, and are influenced by the increasing availability of information, peer interactions, and personal convictions. The study also discusses the broader implications of this activism, comparing it to historical precedents and assessing its potential to influence policy and public opinion. The emotional and psychological toll on student activists is significant, but their sense of purpose and community support mitigates some of these challenges. However, the researchers call for acknowledging the broader Impact of these sacrifices on the future global movement of FreePalestine.
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐄𝐏𝐏 𝐂𝐮𝐫𝐫𝐢𝐜𝐮𝐥𝐮𝐦 𝐢𝐧 𝐭𝐡𝐞 𝐏𝐡𝐢𝐥𝐢𝐩𝐩𝐢𝐧𝐞𝐬:
- Understand the goals and objectives of the Edukasyong Pantahanan at Pangkabuhayan (EPP) curriculum, recognizing its importance in fostering practical life skills and values among students. Students will also be able to identify the key components and subjects covered, such as agriculture, home economics, industrial arts, and information and communication technology.
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐍𝐚𝐭𝐮𝐫𝐞 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞 𝐨𝐟 𝐚𝐧 𝐄𝐧𝐭𝐫𝐞𝐩𝐫𝐞𝐧𝐞𝐮𝐫:
-Define entrepreneurship, distinguishing it from general business activities by emphasizing its focus on innovation, risk-taking, and value creation. Students will describe the characteristics and traits of successful entrepreneurs, including their roles and responsibilities, and discuss the broader economic and social impacts of entrepreneurial activities on both local and global scales.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
Juneteenth Freedom Day 2024 David Douglas School District
IT 552 Module Five Assignment Rubric The purpose of t.docx
1. IT 552 Module Five Assignment Rubric
The purpose of this assignment is to develop an incident
response plan to combat a specific security gap.
Prompt: In the Case Document, one of the security gap analyses
indicated a high number of laptop thefts and a high number of
security incidents. Because of
this recent increase in theft and security incidents, the chief
information security officer asks you to develop an incident
response plan. Submit a plan including
the eight basic elements of an incident response plan, and
procedures for sharing information with outside parties. See the
Oregon state incident response
template as a sample, but all work should be original.
Specifically, the following critical elements must be addressed:
parties.
Guidelines for Submission: Your paper must be submitted as a 4
to 6 page Microsoft Word document with double spacing, 12-
point Times New Roman font, and
one-inch margins.
2. Critical Elements Proficient (100%) Needs Improvement (70%)
Not Evident (0%) Value
Eight Basic Elements Explains the eight basic elements of
an incident response plan
Minimally explains eight basic elements of
an incident response plan
Does not explain the eight basic
elements of an incident response plan
35
Procedures for Sharing
Information
Describes the procedures for sharing
information with outside parties
Insufficiently describes the procedures for
sharing information with outside parties
Does not describe the procedures for
sharing information with outside
parties
35
Articulation of
Response
Submission has no major errors
related to citations, grammar,
spelling, syntax, or organization
3. Submission has major errors related to
citations, grammar, spelling, syntax, or
organization that negatively impact
readability and articulation of main ideas
Submission has critical errors related
to citations, grammar, spelling, syntax,
or organization that prevent the
understanding of ideas
30
Earned Total 100%
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-61r2.pdf
http://www.oregon.gov/das/OSCIO/Documents/incidentresponse
plantemplate.pdf
http://www.oregon.gov/das/OSCIO/Documents/incidentresponse
plantemplate.pdf
<agency> Information Security Incident Response Plan <Date>
1
Information Security
Incident Response Plan
6. <agency> Information Security Incident Response Plan <Date>
3
Introduction
Note to agencies – The purpose of an information security
incident response program is to
ensure the effective response and handling of security incidents
that affect the availability,
integrity, or confidentiality of agency information assets. In
addition, an incident response
program will ensure information security events, incidents and
vulnerabilities associated with
information assets and information systems are communicated
in a manner enabling timely
corrective action.
This template is intended to be a guide to assist in the
development of an agency incident
response plan, one component of an incident response program.
Agencies may have various
capacities and business needs affecting the implementation of
these guidelines. This information
security incident response plan template was created to align
with the statewide Information
Security Incident Response Policy 107-004-xxx.
ORS 182.122 requires agencies to develop the capacity to
7. respond to incidents that involve the
security of information. Agencies must implement forensic
techniques and remedies, and
consider lessons learned. The statute also requires reporting
incidents and plans to the
Enterprise Security Office. The Oregon Consumer Identity Theft
Protection Act (ORS 646A.600)
requires agencies to take specific actions in cases where
compromise of personally identifiable
information has occurred. This plan addresses these
requirements.
The <agency> has developed this Information Security Incident
Response Plan to implement its
incident-response processes and procedures effectively, and to
ensure that <agency>
employees understand them. The intent of this document is to:
o describe the process of responding to an incident,
o educate employees, and
o build awareness of security requirements.
An incident response plan brings together and organizes the
resources for dealing with any event
that harms or threatens the security of information assets. Such
an event may be a malicious
code attack, an unauthorized access to information or systems,
the unauthorized use of services,
a denial of service attack, or a hoax. The goal is to facilitate
quick and efficient response to
incidents, and to limit their impact while protecting the state’s
information assets. The plan defines
roles and responsibilities, documents the steps necessary for
effectively and efficiently managing
8. an information security incident, and defines channels of
communication. The plan also
prescribes the education needed to achieve these objectives.
<agency> Information Security Incident Response Plan <Date>
4
Authority
Statewide information security policies:
Policy Number Policy Title Effective Date
107-004-050 Information Asset Classification 1/31/2008
107-004-051 Controlling Portable and Removable Storage
Devices 7/30/2007
107-004-052 Information Security 7/30/2007
107-004-053 Employee Security 7/30/2007
107-004-100 Transporting Information Assets 1/31/2008
107-004-110 Acceptable Use of State Information Assets
10/16/2007
107-004-xxx Information Security Incident Response draft
9. <agency> information security policies:
Policy Number Policy Title Effective Date
Terms and Definitions
Note to agencies –Agencies should adjust definitions as
necessary to best meet their business
environment.
Asset: Anything that has value to the agency
Control: Means of managing risk, including policies,
procedures, guidelines, practices or
organizational structures, which can be of administrative,
technical, management, or legal nature
Incident: A single or a series of unwanted or unexpected
information security events (see
definition of "information security event") that result in harm,
or pose a significant threat of harm to
information assets and require non-routine preventative or
corrective action.
Incident Response Plan: Written document that states the
approach to addressing and
10. managing incidents.
Incident Response Policy: Written document that defines
organizational structure for incident
response, defines roles and responsibilities, and lists the
requirements for responding to and
reporting incidents.
<agency> Information Security Incident Response Plan <Date>
5
Incident Response Procedures: Written document(s) of the
series of steps taken when
responding to incidents.
Incident Response Program: Combination of incident response
policy, plan, and procedures.
Information: Any knowledge that can be communicated or
documentary material, regardless of
its physical form or characteristics, including electronic, paper
and verbal communication.
Information Security: Preservation of confidentiality, integrity
and availability of information; in
addition, other properties, such as authenticity, accountability,
non-repudiation, and reliability can
also be involved.
Information Security Event: An observable, measurable
occurrence in respect to an information
11. asset that is a deviation from normal operations.
Threat: A potential cause of an unwanted incident, which may
result in harm to a system or the
agency
Roles and Responsibilities
Note to agencies – These role descriptions come from the
statewide information security policies
and are presented here simply as an example. Agencies should
adjust these descriptions as
necessary to best meet their business environment and include
any additional roles that have
been identified in the agency that apply such as Security
Officer, Privacy Officer, etc. Agencies
need to identify roles, responsibilities and identify who is
responsible for incident response
preparation and planning, discovery, reporting, response,
investigation, recovery, follow-up and
lessons learned.
Staffing will be dependent on agency capabilities. The same
person may fulfill one or more of
these roles provided there is sufficient backup coverage. The
following are suggested roles and
responsibilities an agency should consider: incident response
team members, incident
commander, and agency point of contact to interface with the
State Incident Response Team
(required by statewide policy).
Agency Director Responsible for information security in the
12. agency, for
reducing risk exposure, and for ensuring the agency’s
activities do not introduce undue risk to the enterprise.
The director also is responsible for ensuring compliance
with state enterprise security policies, standards, and
security initiatives, and with state and federal
regulations.
Incident Response Point of Contact Responsible for
communicating with State Incident
Response Team (SIRT)and coordinating agency actions
with SIRT in response to an information security
incident.
Information Owner Responsible for creating initial information
classification,
approving decisions regarding controls and access
privileges, performing periodic reclassification, and
ensuring regular reviews for value and updates to
manage changes to risk.
<agency> Information Security Incident Response Plan <Date>
6
User Responsible for complying with the provisions of
policies, procedures and practices.
Program
13. <detail on agency governance structure – identify who is
responsible for managing information
security incident response for the agency, who is responsible for
developing policy, who is
responsible for developing procedures, who is responsible for
awareness, identification of any
governing bodies such as management committees and work
groups, etc. Include what
information security incident response capabilities the agency
has or identify outside resource
and their capabilities. Include how agency will test plan and
frequency. Include other related
program areas such as business continuity planning, risk
management, and privacy as they relate
to incident response. >
Note to agencies –Procedures may in include Incident Reporting
Procedures for staff,
management, information technology, and Point of Contact.
The Incident Response Program is composed of this plan in
conjunction with policy and
procedures. The following documents should be reviewed for a
complete understanding of the
program:
1. <agency> Information Security Incident Response, Policy
Number XXX-XX, located in
Appendix <insert appendix number> at the end of this
document.
2. <agency> Procedure: Information Security Incident
Response, located in Appendix <insert
14. appendix number> at the end of this document. The related
flowchart for this procedure
is found in Appendix <insert appendix number> at the end of
this document.
Information security incidents will be communicated in a
manner allowing timely corrective action
to be taken. This plan shows how the <agency> will handle
response to an incident, incident
communication, incident response plan testing, training for
response resources and awareness
training
The Information Security Incident Response Policy, Plan, and
procedures will be reviewed <insert
interval here, i.e. annually> or if significant changes occur to
ensure their continuing adequacy
and effectiveness. Each will have an owner who has approved
management responsibility for its
development, review, and evaluation. Reviews will include
assessing opportunities for
improvement and approach to managing information security
incident response in regards to
integrating lessons learned, to changes to <agency’s>
environment, new threats and risks,
business circumstances, legal and policy implications, and
technical environment.
Identification
Identification of an incident is the process of analyzing an event
and determining if that event is
normal or if it is an incident. An incident is an adverse event
and it usually implies either harm, or
15. the attempt to harm the <agency>. Events occur routinely and
will be examined for impact. Those
showing either harm or intent to harm may be escalated to an
incident.
<detail who is responsible for this step and the process that will
be used>
The term “incident” refers to an adverse event impacting one or
more <agency>’s information
assets or to the threat of such an event Examples include but
are not limited to the following:
<agency> Information Security Incident Response Plan <Date>
7
16. Incidents can result from any of the following:
lations of Statewide or <agency>’s Policies
Incident Classification
Once an event is determined to be an incident, several methods
exist for classifying incidents.
<detail who is responsible for this step and the process that will
be used>
17. The following factors are considered when evaluating incidents:
-agency scope
Triage
The objective of the triage process is to gather information,
assess the nature of an incident and
begin making decisions about how to respond to it. It is critical
to ensure when an incident is
discovered and assessed the situation does not become more
severe.
<detail who is responsible for this step and the process that will
be used>
18. <agency> Information Security Incident Response Plan <Date>
8
the projected impact
dentify the root cause of the
incident
Evidence Preservation
Carefully balancing the need to restore operations against the
need to preserve evidence is a
critical part of incident response. Gathering evidence and
19. preserving it are essential for proper
identification of an incident, and for business recovery. Follow-
up activities, such as personnel
actions or criminal prosecution, also rely on gathering and
preserving evidence.
<detail who is responsible for this step and the process that will
be used>
Forensics
Note to agencies – in cases involving potential exposure of
personally identifiable information it is
recommended that technical analysis be performed.
In information security incidents involving computers, when
necessary <agency> will technically
analyze computing devices to identify the cause of an incident
or to analyze and preserve
evidence.
<agency> will practice the following general forensic
guidelines:
o Keep good records of observations and actions taken.
o Make forensically-sound images of systems and retain them in
a secure place.
o Establish chain of custody for evidence.
o Provide basic forensic training to incident response staff,
especially in preservation of
evidence
<detail who is responsible for this step and the process that will
20. be used>
Threat/Vulnerability Eradication
After an incident, efforts will focus on identifying, removing
and repairing the vulnerability that led
to the incident and thoroughly clean the system. To do this, the
vulnerability(s) needs to be clearly
identified so the incident isn't repeated. The goal is to prepare
for the resumption of normal
operations with confidence that the initial problem has been
fixed.
<detail who is responsible for this step and the process that will
be used>
<agency> Information Security Incident Response Plan <Date>
9
Confirm that Threat/Vulnerability has been Eliminated
After the cause of an incident has been removed or eradicated
and data or related information is
restored, it is critical to confirm all threats and vulnerabilities
have been successfully mitigated
and that new threats or vulnerabilities have not been introduced.
<detail who is responsible for this step and the process that will
21. be used>
Resumption of Operations
Resuming operations is a business decision, but it is important
to conduct the preceding steps to
ensure it is safe to do so.
<detail who is responsible for this step and the process that will
be used>
Post-incident Activities
An after-action analysis will be performed for all incidents. The
analysis may consist of one or
more meetings and/or reports. The purpose of the analysis is to
give participants an opportunity
to share and document details about the incident and to
facilitate lessons learned. The meetings
should be held within one week of closing the incident.
<detail who is responsible for this step and the process that will
be used>
Education and Awareness
<agency> shall ensure that incident response is addressed in
education and awareness
programs. The programs shall address:
22. <Discuss training programs, cycle/schedule, etc. Identify
incident response awareness and
training elements – topics to be covered, who will be trained,
how much training is required.>
<detail training for designated response resources>
Note to agencies – DAS has developed a suite of web-based
user awareness modules.
Additional modules are planned and currently Incident
Response is targeted for early 2009.
They are currently available to all state employees by accessing
the state intranet and also are
resident on the enterprise Learning Management System.
Communications
Note to agencies - Communication is vital to incident response.
Therefore, it is important to
control communication surrounding an incident so
communications is appropriate and effective.
Agencies should consider the following aspects of incident
communication:
□ Define circumstances when employees, customers and
partners may or may not be
informed of the issue
□ Disclosure of incident information should be limited to a need
to know basis
□ Establish procedures for controlling communication with the
media
23. □ Establish procedure for communicating securely during an
incident
□ Have contact information for the SIRT, vendors contracted to
help during a security
emergency, as well as relevant technology providers
<agency> Information Security Incident Response Plan <Date>
10
□ Have contact information for customers and clients in the
event they are affected by an
incident
Because of the sensitive and confidential nature of information
and communication surrounding
an incident, all communication must be through secure
channels.
<detail procedures for internal and external communications >
<detail how to securely communication, what is an acceptable
method>
<detail who is responsible for communications and who is not
authorized to discuss incidents>
Compliance
24. <agency> is responsible for implementing and ensuring
compliance with all applicable laws,
rules, policies, and regulations.
<detail agency compliance objectives and initiatives>
<list policies (statewide and agency, see authority section of
plan), federal and state regulations),
statutes, administrative rules that apply, etc.>
<All agencies are subject to the Identity Theft Prevention Act.
Breaches as defined in the Identity
Theft Prevention Act are only one type of an incident. If your
agency is subject to the regulations
list below for example, you should consider the following:
The Payment Card Industry-Data Security Standards requires
entities to develop an Incident
Response Plan, require organizations to be prepared to respond
immediately to a breach by
following a previously developed incident response plan that
addresses business recovery and
continuity procedures, data backup processes, and
communication and contact strategies
HIPAA requires entities to implement policies and procedures
to address security incidents,
requires the creation of a security incident response team or
another reasonable and
appropriate response and reporting mechanism. Agencies
subject to HIPAA should have both
an incident response plan and an Incident response team, as
well as a method to classify
25. security incidents>
Specific to the Identity Theft Prevention Act agency plans
should cover the following:
Consider potential communication channels for different
circumstances, e.g., your plan may be
different for an employee as opposed to a customer data breach.
• Your human resources office
• Agency Public Information Officer (PIO)
• DAS Director’s Office – 503-378-3104
• DAS Office Communication Manager – 503-378-2627
• State Chief Information Security Officer – 503-378-6557
• Department of Justice
• Oregon State Police – 503-378-3720 (ask for the Criminal
Lieutenant)
<agency> Information Security Incident Response Plan <Date>
11
• Other agencies that may be affected
26. • If security breach affects more than 1,000 consumers, contact
all major consumer-
reporting agencies that compile and maintain reports on
consumers on a nationwide
basis; inform them of the timing, distribution and content of the
notification given to the
consumers.
• Contact the credit monitoring bureaus in advance if directing
potential victims to call
them
Equifax – 1-800-525-6285
Experian – 1-888-397-3742
TransUnion – 1-800-680-7289
<agency> maintains personal information of consumers and will
notify customers if personal
information has been subject to a security breach in accordance
with the Oregon Revised Statute
646A.600 - Identity Theft Protection Act. The notification will
be done as soon as possible, in one
of the following manners:
between you and your
customer, or
customer.
27. Notification may be delayed if a law enforcement agency
determines that it will impede a criminal
investigation.
If an investigation into the breach or consultation with a
federal, state or local law enforcement
agency determines there is no reasonable likelihood of harm to
consumers, or if the personal
information was encrypted or made unreadable, notification is
not required.
Substitute notice
If the cost of notifying customers would exceed $250,000, that
the number of those who need to
be contacted is more than 350,000, or if there isn’t means to
sufficiently contact consumers,
substitute notice will be given. Substitute notice consists of:
your Web site if one is
maintained, and
Oregon television and
newspaper media.
Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers
<agency> will report to all nationwide
credit-reporting agencies, without reasonable delay, the timing,
distribution, and the content of the
notice given to the affected consumers.
<The regulations listed above are provided as examples of
compliance requirements and are not
intended to be a complete listing.>
28. Implementation
<summary of initiatives, plans to develop tactical projects
initiatives to meet plan components,
including timelines, performance measures, auditing/monitoring
requirements for compliance,
etc.>
<agency> Information Security Incident Response Plan <Date>
12
Approval
<approval sign off by agency decision makers, i.e. agency
administrator, security officer, CIO,
etc.>
By:
Name, title Date
29. By:
Name, title Date
Computer Security
Incident Handling Guide
Recommendations of the National Institute
of Standards and Technology
Paul Cichonski
Tom Millar
Tim Grance
Karen Scarfone
Special Publication 800-61
Revision 2
karenw
Typewritten Text
http://dx.doi.org/10.6028/NIST.SP.800-61r2
NIST Special Publication 800-61
30. Revision 2
Computer Security Incident Handling
Guide
Recommendations of the National
Institute of Standards and Technology
Paul Cichonski
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD
Tom Millar
United States Computer Emergency Readiness Team
National Cyber Security Division
Department of Homeland Security
Tim Grance
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
31. Gaithersburg, MD
Karen Scarfone
Scarfone Cybersecurity
C O M P U T E R S E C U R I T Y
August 2012
U.S. Department of Commerce
Rebecca Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher,
Under Secretary of Commerce for Standards and Technology
and Director
karenw
Typewritten Text
http://dx.doi.org/10.6028/NIST.SP.800-61r2
32. COMPUTER SECURITY INCIDENT HANDLING GUIDE
ii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National
Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by
providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests,
test methods, reference data, proof of
concept implementations, and technical analyses to advance the
development and productive use of
information technology. ITL’s responsibilities include the
development of management, administrative,
technical, and physical standards and guidelines for the cost-
effective security and privacy of other than
national security-related information in Federal information
systems. The Special Publication 800-series
reports on ITL’s research, guidelines, and outreach efforts in
information system security, and its
collaborative activities with industry, government, and
academic organizations.
33. COMPUTER SECURITY INCIDENT HANDLING GUIDE
iii
Authority
This publication has been developed by NIST to further its
statutory responsibilities under the Federal
Information Security Management Act (FISMA), Public Law
(P.L.) 107-347. NIST is responsible for
developing information security standards and guidelines,
including minimum requirements for Federal
information systems, but such standards and guidelines shall not
apply to national security systems
without the express approval of appropriate Federal officials
exercising policy authority over such
systems. This guideline is consistent with the requirements of
the Office of Management and Budget
(OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-
130, Appendix IV: Analysis of Key Sections. Supplemental
information is provided in Circular A-130,
34. Appendix III, Security of Federal Automated Information
Resources.
Nothing in this publication should be taken to contradict the
standards and guidelines made mandatory
and binding on Federal agencies by the Secretary of Commerce
under statutory authority. Nor should
these guidelines be interpreted as altering or superseding the
existing authorities of the Secretary of
Commerce, Director of the OMB, or any other Federal official.
This publication may be used by
nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special
Publication 800-61 Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-61 Revision 2, 79
pages (Aug. 2012)
CODEN: NSPUE2
35. Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-
8930
Certain commercial entities, equipment, or materials may be
identified in this document in order to describe an
experimental procedure or concept adequately. Such
identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the
entities, materials, or equipment are necessarily the
best available for the purpose.
There may be references in this publication to other
publications currently under development by NIST in
accordance with its assigned statutory responsibilities. The
information in this publication, including concepts
and methodologies, may be used by Federal agencies even
before the completion of such companion
publications. Thus, until each publication is completed, current
requirements, guidelines, and procedures, where
36. they exist, remain operative. For planning and transition
purposes, Federal agencies may wish to closely follow
the development of these new publications by NIST.
Organizations are encouraged to review all draft publications
during public comment periods and provide
feedback to NIST. All NIST publications, other than the ones
noted above, are available at
http://csrc.nist.gov/publications.
karenw
Typewritten Text
http://dx.doi.org/10.6028/NIST.SP.800-61r2
COMPUTER SECURITY INCIDENT HANDLING GUIDE
iv
Abstract
Computer security incident response has become an important
component of information technology (IT)
programs. Because performing incident response effectively is a
complex undertaking, establishing a
successful incident response capability requires substantial
planning and resources. This publication
37. assists organizations in establishing computer security incident
response capabilities and handling
incidents efficiently and effectively. This publication provides
guidelines for incident handling,
particularly for analyzing incident-related data and determining
the appropriate response to each incident.
The guidelines can be followed independently of particular
hardware platforms, operating systems,
protocols, or applications.
Keywords
computer security incident; incident handling; incident
response; information security
COMPUTER SECURITY INCIDENT HANDLING GUIDE
v
Acknowledgments
The authors, Paul Cichonski of the National Institute of
Standards and Technology (NIST), Tom Millar of
the United States Computer Emergency Readiness Team (US-
CERT), Tim Grance of NIST, and Karen
38. Scarfone of Scarfone Cybersecurity wish to thank their
colleagues who reviewed drafts of this document
and contributed to its technical content, including John
Banghart of NIST; Brian Allen, Mark Austin,
Brian DeWyngaert, Andrew Fuller, Chris Hallenbeck, Sharon
Kim, Mischel Kwon, Lee Rock, Richard
Struse, and Randy Vickers of US-CERT; and Marcos Osorno of
the Johns Hopkins University Applied
Physics Laboratory. A special acknowledgment goes to Brent
Logan of US-CERT for his graphics
assistance. The authors would also like to thank security experts
Simon Burson, Anton Chuvakin
(Gartner), Fred Cohen (Fred Cohen & Associates), Mariano M.
del Rio (SIClabs), Jake Evans (Tripwire),
Walter Houser (SRA), Panos Kampanakis (Cisco), Kathleen
Moriarty (EMC), David Schwalenberg
(National Security Agency), and Wes Young (Research and
Education Networking Information Sharing
and Analysis Center [REN-ISAC]), as well as representatives of
the Blue Glacier Management Group, the
Centers for Disease Control and Prevention, the Department of
Energy, the Department of State, and the
Federal Aviation Administration for their particularly valuable
comments and suggestions.
39. The authors would also like to acknowledge the individuals that
contributed to the previous versions of
the publication. A special thanks goes to Brian Kim of Booz
Allen Hamilton, who co-authored the
original version; to Kelly Masone of Blue Glacier Management
Group, who co-authored the first revision;
and also to Rick Ayers, Chad Bloomquist, Vincent Hu, Peter
Mell, Scott Rose, Murugiah Souppaya, Gary
Stoneburner, and John Wack of NIST; Don Benack and Mike
Witt of US-CERT; and Debra Banning,
Pete Coleman, Alexis Feringa, Tracee Glass, Kevin Kuhlkin,
Bryan Laird, Chris Manteuffel, Ron
Ritchey, and Marc Stevens of Booz Allen Hamilton for their
keen and insightful assistance throughout the
development of the document, as well as Ron Banerjee and
Gene Schultz for their work on a preliminary
draft of the document. The authors would also like to express
their thanks to security experts Tom Baxter
(NASA), Mark Bruhn (Indiana University), Brian Carrier
(CERIAS, Purdue University), Eoghan Casey,
Johnny Davis, Jr. (Department of Veterans Affairs), Jim Duncan
(BB&T), Dean Farrington (Wells Fargo
Bank), John Hale (University of Tulsa), Georgia Killcrece
(CERT
®
40. /CC), Barbara Laswell (CERT
®
/CC),
Pascal Meunier (CERIAS, Purdue University), Jeff Murphy
(University of Buffalo), Todd O’Boyle
(MITRE), Marc Rogers (CERIAS, Purdue University), Steve
Romig (Ohio State University), Robin
Ruefle (CERT
®
/CC), Gene Schultz (Lawrence Berkeley National Laboratory),
Michael Smith (US-
CERT), Holt Sorenson, Eugene Spafford (CERIAS, Purdue
University), Ken van Wyk, and Mark Zajicek
(CERT
®
/CC), as well as representatives of the Department of the
Treasury, for their particularly valuable
comments and suggestions.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
vi
Table of Contents
41. Executive Summary
...............................................................................................
.................. 1
1. Introduction
......................................................................................... ......
....................... 4
1.1 Authority
...............................................................................................
..................... 4
1.2 Purpose and Scope
...............................................................................................
.... 4
1.3 Audience
...............................................................................................
.................... 4
1.4 Document Structure
...............................................................................................
... 4
2. Organizing a Computer Security Incident Response
Capability ................................... 6
2.1 Events and Incidents
......................................................................................... ......
.. 6
2.2 Need for Incident Response
...................................................................................... 6
2.3 Incident Response Policy, Plan, and Procedure Creation
.......................................... 7
2.3.1 Policy
Elements.................................................................................
............ 7
2.3.2 Plan Elements
42. ...............................................................................................
8
2.3.3 Procedure Elements
...................................................................................... 8
2.3.4 Sharing Information With Outside Parties
...................................................... 9
2.4 Incident Response Team Structure
......................................................................... 13
2.4.1 Team Models
...............................................................................................
13
2.4.2 Team Model
Selection..................................................................... ............
.14
2.4.3 Incident Response Personnel
.......................................................................16
2.4.4 Dependencies within Organizations
.............................................................17
2.5 Incident Response Team Services
.......................................................................... 18
2.6 Recommendations
...............................................................................................
... 19
3. Handling an Incident
...............................................................................................
........21
3.1 Preparation
...............................................................................................
............... 21
3.1.1 Preparing to Handle Incidents
......................................................................21
3.1.2 Preventing Incidents
43. .....................................................................................23
3.2 Detection and Analysis
............................................................................................
25
3.2.1 Attack Vectors
..............................................................................................
25
3.2.2 Signs of an Incident
......................................................................................26
3.2.3 Sources of Precursors and Indicators
...........................................................27
3.2.4 Incident Analysis
..................................................................................... .....28
3.2.5 Incident Documentation
................................................................................30
3.2.6 Incident Prioritization
....................................................................................32
3.2.7 Incident Notification
......................................................................................33
3.3 Containment, Eradication, and
Recovery................................................................. 35
3.3.1 Choosing a Containment Strategy
................................................................35
3.3.2 Evidence Gathering and Handling
................................................................36
3.3.3 Identifying the Attacking Hosts
.....................................................................37
3.3.4 Eradication and Recovery
............................................................................37
3.4 Post-Incident Activity
........................................................................................... ....
38
3.4.1 Lessons Learned
44. ..........................................................................................38
3.4.2 Using Collected Incident Data
......................................................................39
3.4.3 Evidence Retention
......................................................................................41
3.5 Incident Handling Checklist
..................................................................................... 42
3.6 Recommendations
...............................................................................................
... 42
4. Coordination and Information Sharing
..........................................................................45
COMPUTER SECURITY INCIDENT HANDLING GUIDE
vii
4.1 Coordination
...............................................................................................
............. 45
4.1.1 Coordination Relationships
..........................................................................46
4.1.2 Sharing Agreements and Reporting Requirements
......................................47
4.2 Information Sharing Techniques
.............................................................................. 48
4.2.1 Ad Hoc
...............................................................................................
..........48
4.2.2 Partially Automated
......................................................................................48
45. 4.2.3 Security Considerations
...............................................................................49
4.3 Granular Information Sharing
.................................................................................. 49
4.3.1 Business Impact Information
........................................................................49
4.3.2 Technical Information
...................................................................................50
4.4 Recommendations
...............................................................................................
... 51
List of Appendices
Appendix A— Incident Handling Scenarios
..........................................................................52
A.1 Scenario Questions
...............................................................................................
.. 52
A.2 Scenarios
...............................................................................................
................. 53
Appendix B— Incident-Related Data Elements
.....................................................................58
B.1 Basic Data Elements
...............................................................................................
58
B.2 Incident Handler Data Elements
.............................................................................. 59
46. Appendix C— Glossary
...............................................................................................
...........60
Appendix D— Acronyms
...............................................................................................
.........61
Appendix E—
Resources................................................................................
........................63
Appendix F— Frequently Asked Questions
..........................................................................65
Appendix G— Crisis Handling Steps
.....................................................................................68
Appendix H— Change Log
...............................................................................................
......69
List of Figures
Figure 2-1. Communications with Outside Parties
.....................................................................10
Figure 3-1. Incident Response Life Cycle
..................................................................................21
Figure 3-2. Incident Response Life Cycle (Detection and
Analysis) ...........................................25
47. Figure 3-3. Incident Response Life Cycle (Containment,
Eradication, and Recovery) ...............35
Figure 3-4. Incident Response Life Cycle (Post-Incident
Activity) ..............................................38
Figure 4-1. Incident Response Coordination
.............................................................................46
COMPUTER SECURITY INCIDENT HANDLING GUIDE
viii
List of Tables
Table 3-1. Common Sources of Precursors and Indicators
.......................................................27
Table 3-2. Functional Impact Categories
...................................................................................33
Table 3-3. Information Impact Categories
.................................................................................33
Table 3-4. Recoverability Effort Categories
...............................................................................3 3
Table 3-5. Incident Handling Checklist
48. ......................................................................................42
Table 4-1. Coordination Relationships
.................................................................................... ..47
COMPUTER SECURITY INCIDENT HANDLING GUIDE
1
Executive Summary
Computer security incident response has become an important
component of information technology (IT)
programs. Cybersecurity-related attacks have become not only
more numerous and diverse but also more
damaging and disruptive. New types of security-related
incidents emerge frequently. Preventive activities
based on the results of risk assessments can lower the number of
incidents, but not all incidents can be
prevented. An incident response capability is therefore
necessary for rapidly detecting incidents,
minimizing loss and destruction, mitigating the weaknesses that
were exploited, and restoring IT services.
To that end, this publication provides guidelines for incident
handling, particularly for analyzing incident-
related data and determining the appropriate response to each
incident. The guidelines can be followed
49. independently of particular hardware platforms, operating
systems, protocols, or applications.
Because performing incident response effectively is a complex
undertaking, establishing a successful
incident response capability requires substantial planning and
resources. Continually monitoring for
attacks is essential. Establishing clear procedures for
prioritizing the handling of incidents is critical, as is
implementing effective methods of collecting, analyzing, and
reporting data. It is also vital to build
relationships and establish suitable means of communication
with other internal groups (e.g., human
resources, legal) and with external groups (e.g., other incident
response teams, law enforcement).
This publication assists organizations in establishing computer
security incident response capabilities and
handling incidents efficiently and effectively. This revision of
the publication, Revision 2, updates
material throughout the publication to reflect the changes in
attacks and incidents. Understanding threats
and identifying modern attacks in their early stages is key to
preventing subsequent compromises, and
proactively sharing information among organizations regarding
the signs of these attacks is an
50. increasingly effective way to identify them.
Implementing the following requirements and recommendations
should facilitate efficient and effective
incident response for Federal departments and agencies.
Organizations must create, provision, and operate a formal
incident response capability. Federal
law requires Federal agencies to report incidents to the United
States Computer Emergency
Readiness Team (US-CERT) office within the Department of
Homeland Security (DHS).
The Federal Information Security Management Act (FISMA)
requires Federal agencies to establish
incident response capabilities. Each Federal civilian agency
must designate a primary and secondary point
of contact (POC) with US-CERT and report all incidents
consistent with the agency’s incident response
policy. Each agency is responsible for determining how to
fulfill these requirements.
Establishing an incident response capability should include the
following actions:
reporting
51. regarding incidents
between the incident response team and other
groups, both internal (e.g., legal department) and external (e.g.,
law enforcement agencies)
provide
COMPUTER SECURITY INCIDENT HANDLING GUIDE
2
Organizations should reduce the frequency of incidents by
effectively securing networks, systems,
and applications.
Preventing problems is often less costly and more effective than
reacting to them after they occur. Thus,
incident prevention is an important complement to an incident
response capability. If security controls are
insufficient, high volumes of incidents may occur. This could
overwhelm the resources and capacity for
52. response, which would result in delayed or incomplete recovery
and possibly more extensive damage and
longer periods of service and data unavailability. Incident
handling can be performed more effectively if
organizations complement their incident response capability
with adequate resources to actively maintain
the security of networks, systems, and applications. This
includes training IT staff on complying with the
organization’s security standards and making users aware of
policies and procedures regarding
appropriate use of networks, systems, and applications.
Organizations should document their guidelines for interactions
with other organizations regarding
incidents.
During incident handling, the organization will need to
communicate with outside parties, such as other
incident response teams, law enforcement, the media, vendors,
and victim organizations. Because these
communications often need to occur quickly, organizations
should predetermine communication
guidelines so that only the appropriate information is shared
with the right parties.
Organizations should be generally prepared to handle any
incident but should focus on being
53. prepared to handle incidents that use common attack vectors.
Incidents can occur in countless ways, so it is infeasible to
develop step-by-step instructions for handling
every incident. This publication defines several types of
incidents, based on common attack vectors; these
categories are not intended to provide definitive classification
for incidents, but rather to be used as a
basis for defining more specific handling procedures. Different
types of incidents merit different response
strategies. The attack vectors are:
removable media (e.g., flash drive, CD) or a
peripheral device.
compromise, degrade, or destroy systems,
networks, or services.
-based
application.
attachment.
organization’s acceptable usage
policies by an authorized user, excluding the above categories.
54. device or media used by the
organization, such as a laptop or smartphone.
to any of the other
categories.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
3
Organizations should emphasize the importance of incident
detection and analysis throughout the
organization.
In an organization, millions of possible signs of incidents may
occur each day, recorded mainly by
logging and computer security software. Automation is needed
to perform an initial analysis of the data
and select events of interest for human review. Event
correlation software can be of great value in
automating the analysis process. However, the effectiveness of
the process depends on the quality of the
data that goes into it. Organizations should establish logging
standards and procedures to ensure that
adequate information is collected by logs and security software
and that the data is reviewed regularly.
Organizations should create written guidelines for prioritizing
55. incidents.
Prioritizing the handling of individual incidents is a critical
decision point in the incident response
process. Effective information sharing can help an organization
identify situations that are of greater
severity and demand immediate attention. Incidents should be
prioritized based on the relevant factors,
such as the functional impact of the incident (e.g., current and
likely future negative impact to business
functions), the information impact of the incident (e.g., effect
on the confidentiality, integrity, and
availability of the organization’s information), and the
recoverability from the incident (e.g., the time and
types of resources that must be spent on recovering from the
incident).
Organizations should use the lessons learned process to gain
value from incidents.
After a major incident has been handled, the organization
should hold a lessons learned meeting to review
the effectiveness of the incident handling process and identify
necessary improvements to existing
security controls and practices. Lessons learned meetings can
also be held periodically for lesser incidents
as time and resources permit. The information accumulated
56. from all lessons learned meetings should be
used to identify and correct systemic weaknesses and
deficiencies in policies and procedures. Follow-up
reports generated for each resolved incident can be important
not only for evidentiary purposes but also
for reference in handling future incidents and in training new
team members.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
4
1. Introduction
1.1 Authority
The National Institute of Standards and Technology (NIST)
developed this document in furtherance of its
statutory responsibilities under the Federal Information Security
Management Act (FISMA) of 2002,
Public Law 107-347.
NIST is responsible for developing standards and guidelines,
including minimum requirements, for
providing adequate information security for all agency
operations and assets, but such standards and
57. guidelines shall not apply to national security systems. This
guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-
130, Section 8b(3), “Securing Agency
Information Systems,” as analyzed in A-130, Appendix IV:
Analysis of Key Sections. Supplemental
information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It
may be used by nongovernmental
organizations on a voluntary basis and is not subject to
copyright, though attribution is desired.
Nothing in this document should be taken to contradict
standards and guidelines made mandatory and
binding on Federal agencies by the Secretary of Commerce
under statutory authority, nor should these
guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce,
Director of the OMB, or any other Federal official.
1.2 Purpose and Scope
This publication seeks to assist organizations in mitigating the
risks from computer security incidents by
providing practical guidelines on responding to incidents
effectively and efficiently. It includes guidelines
58. on establishing an effective incident response program, but the
primary focus of the document is
detecting, analyzing, prioritizing, and handling incidents.
Organizations are encouraged to tailor the
recommended guidelines and solutions to meet their specific
security and mission requirements.
1.3 Audience
This document has been created for computer security incident
response teams (CSIRTs), system and
network administrators, security staff, technical support staff,
chief information security officers (CISOs),
chief information officers (CIOs), computer security program
managers, and others who are responsible
for preparing for, or responding to, security incidents.
1.4 Document Structure
The remainder of this document is organized into the following
sections and appendices:
possible incident response team
structures, and highlights other groups within an organization
that may participate in incident
handling.
ection 3 reviews the basic incident handling steps and
59. provides advice for performing incident
handling more effectively, particularly incident detection and
analysis.
coordination and information sharing.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
5
questions for use in incident response tabletop
discussions.
for each incident.
respectively.
planning and performing incident response.
response.
computer security incident-related crisis.
since the previous revision.
60. COMPUTER SECURITY INCIDENT HANDLING GUIDE
6
2. Organizing a Computer Security Incident Response
Capability
Organizing an effective computer security incident response
capability (CSIRC) involves several major
decisions and actions. One of the first considerations should be
to create an organization-specific
definition of the term “incident” so that the scope of the term is
clear. The organization should decide
what services the incident response team should provide,
consider which team structures and models can
provide those services, and select and implement one or more
incident response teams. Incident response
plan, policy, and procedure creation is an important part of
establishing a team, so that incident response
is performed effectively, efficiently, and consistently, and so
that the team is empowered to do what needs
to be done. The plan, policies, and procedures should reflect the
team’s interactions with other teams
within the organization as well as with outside parties, such as
law enforcement, the media, and other
incident response organizations. This section provides not only
61. guidelines that should be helpful to
organizations that are establishing incident response
capabilities, but also advice on maintaining and
enhancing existing capabilities.
2.1 Events and Incidents
An event is any observable occurrence in a system or network.
Events include a user connecting to a file
share, a server receiving a request for a web page, a user
sending email, and a firewall blocking a
connection attempt. Adverse events are events with a negative
consequence, such as system crashes,
packet floods, unauthorized use of system privileges,
unauthorized access to sensitive data, and execution
of malware that destroys data. This guide addresses only
adverse events that are computer security-
related, not those caused by natural disasters, power failures,
etc.
A computer security incident is a violation or imminent threat
of violation
1
of computer security policies,
acceptable use policies, or standard security practices.
Examples of incidents
2
are:
62. connection requests to a web server, causing
it to crash.
email that is actually malware; running the
tool has infected their computers and established connections
with an external host.
details will be released publicly if the
organization does not pay a designated sum of money.
des or exposes sensitive information to others
through peer-to-peer file sharing services.
2.2 Need for Incident Response
Attacks frequently compromise personal and business data, and
it is critical to respond quickly and
effectively when security breaches occur. The concept of
computer security incident response has become
widely accepted and implemented. One of the benefits of having
an incident response capability is that it
supports responding to incidents systematically (i.e., following
a consistent incident handling
methodology) so that the appropriate actions are taken. Incident
response helps personnel to minimize
loss or theft of information and disruption of services caused by
incidents. Another benefit of incident
63. response is the ability to use information gained during incident
handling to better prepare for handling
1
An “imminent threat of violation” refers to a situation in
which the organization has a factual basis for believing that a
specific incident is about to occur. For example, the antivirus
software maintainers may receive a bulletin from the software
vendor, warning them of new malware that is rapidly spreading
across the Internet.
2
For the remainder of this document, the terms “incident” and
“computer security incident” are interchangeable.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
7
future incidents and to provide stronger protection for systems
and data. An incident response capability
also helps with dealing properly with legal issues that may arise
during incidents.
Besides the business reasons to establish an incident response
capability, Federal departments and
agencies must comply with law, regulations, and policy
directing a coordinated, effective defense against
64. information security threats. Chief among these are the
following:
-130, Appendix III,
3
released in 2000, which directs Federal agencies to
“ensure that there is a capability to provide help to users when a
security incident occurs in the system
and to share information concerning common vulnerabilities and
threats. This capability shall share
information with other organizations … and should assist the
agency in pursuing appropriate legal
action, consistent with Department of Justice guidance.”
4
which requires agencies to have “procedures for detecting,
reporting, and
responding to security incidents” and establishes a centralized
Federal information security incident
center, in part to:
– “Provide timely technical assistance to operators of agency
information systems … including
guidance on detecting and handling information security
incidents …
– Compile and analyze information about incidents that threaten
information security …
65. – Inform operators of agency information systems about current
and potential information security
threats, and vulnerabilities … .”
Minimum Security Requirements for Federal
Information and Information Systems
5
, March 2006, which specifies minimum security requirements
for Federal information and information systems, including
incident response. The specific
requirements are defined in NIST Special Publication (SP) 800-
53, Recommended Security Controls
for Federal Information Systems and Organizations.
-07-16, Safeguarding Against and
Responding to the Breach of Personally
Identifiable Information
6
, May 2007, which provides guidance on reporting security
incidents that
involve PII.
2.3 Incident Response Policy, Plan, and Procedure Creation
This section discusses policies, plans, and procedures related to
incident response, with an emphasis on
interactions with outside parties.
66. 2.3.1 Policy Elements
Policy governing incident response is highly individualized to
the organization. However, most policies
include the same key elements:
3
http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html
4
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
5
http://csrc.nist.gov/publications/PubsFIPS.html
6
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-
16.pdf
http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
http://csrc.nist.gov/publications/PubsFIPS.html
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
COMPUTER SECURITY INCIDENT HANDLING GUIDE
8
67. what circumstances)
responsibilities, and levels of authority; should
include the authority of the incident response team to confiscate
or disconnect equipment and to
monitor suspicious activity, the requirements for reporting
certain types of incidents, the requirements
and guidelines for external communications and information
sharing (e.g., what can be shared with
whom, when, and over what channels), and the handoff and
escalation points in the incident
management process
s
2.3.2 Plan Elements
Organizations should have a formal, focused, and coordinated
approach to responding to incidents,
including an incident response plan that provides the roadmap
for implementing the incident response
capability. Each organization needs a plan that meets its unique
68. requirements, which relates to the
organization’s mission, size, structure, and functions. The plan
should lay out the necessary resources and
management support. The incident response plan should include
the following elements:
m will communicate with the
rest of the organization and with other
organizations
effectiveness
overall organization.
The organization’s mission, strategies, and goals for incident
response should help in determining the
structure of its incident response capability. The incident
response program structure should also be
discussed within the plan. Section 2.4.1 discusses the types of
structures.
69. Once an organization develops a plan and gains management
approval, the organization should
implement the plan and review it at least annually to ensure the
organization is following the roadmap for
maturing the capability and fulfilling their goals for incident
response.
2.3.3 Procedure Elements
Procedures should be based on the incident response policy and
plan. Standard operating procedures
(SOPs) are a delineation of the specific technical processes,
techniques, checklists, and forms used by the
incident response team. SOPs should be reasonably
comprehensive and detailed to ensure that the
COMPUTER SECURITY INCIDENT HANDLING GUIDE
9
priorities of the organization are reflected in response
operations. In addition, following standardized
responses should minimize errors, particularly those that might
be caused by stressful incident handling
situations. SOPs should be tested to validate their accuracy and
usefulness, then distributed to all team
members. Training should be provided for SOP users; the SOP
70. documents can be used as an instructional
tool. Suggested SOP elements are presented throughout Section
3.
2.3.4 Sharing Information With Outside Parties
Organizations often need to communicate with outside parties
regarding an incident, and they should do
so whenever appropriate, such as contacting law enforcement,
fielding media inquiries, and seeking
external expertise. Another example is discussing incidents with
other involved parties, such as Internet
service providers (ISPs), the vendor of vulnerable software, or
other incident response teams.
Organizations may also proactively share relevant incident
indicator information with peers to improve
detection and analysis of incidents. The incident response team
should discuss information sharing with
the organization’s public affairs office, legal department, and
management before an incident occurs to
establish policies and procedures regarding information sharing.
Otherwise, sensitive information
regarding incidents may be provided to unauthorized parties,
potentially leading to additional disruption
and financial loss. The team should document all contacts and
communications with outside parties for
71. liability and evidentiary purposes.
The following sections provide guidelines on communicating
with several types of outside parties, as
depicted in Figure 2-1. The double-headed arrows indicate that
either party may initiate communications.
See Section 4 for additional information on communicating with
outside parties, and see Section 2.4 for a
discussion of communications involving incident response
outsourcers.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
10
Figure 2-1. Communications with Outside Parties
2.3.4.1 The Media
The incident handling team should establish media
communications procedures that comply with the
organization’s policies on media interaction and information
disclosure.
7
For discussing incidents with the
media, organizations often find it beneficial to designate a
single point of contact (POC) and at least one
72. backup contact. The following actions are recommended for
preparing these designated contacts and
should also be considered for preparing others who may be
communicating with the media:
regarding incidents, which should include the
importance of not revealing sensitive information, such as
technical details of countermeasures that
could assist other attackers, and the positive aspects of
communicating important information to the
public fully and effectively.
sensitivities regarding a particular
incident before discussing it with the media.
7
For example, an organization may want members of its public
affairs office and legal department to participate in all
incident discussions with the media.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
11
that communications with the media are
73. consistent and up-to-date.
inquiries.
erviews and press conferences during incident
handling exercises. The following are
examples of questions to ask the media contact:
– Who attacked you? Why?
– When did it happen? How did it happen? Did this happen
because you have poor security
practices?
– How widespread is this incident? What steps are you taking to
determine what happened and to
prevent future occurrences?
– What is the impact of this incident? Was any personally
identifiable information (PII) exposed?
What is the estimated cost of this incident?
2.3.4.2 Law Enforcement
One reason that many security-related incidents do not result in
convictions is that some organizations do
not properly contact law enforcement. Several levels of law
enforcement are available to investigate
incidents: for example, within the United States, Federal
investigatory agencies (e.g., the Federal Bureau
of Investigation [FBI] and the U.S. Secret Service), district
attorney offices, state law enforcement, and
74. local (e.g., county) law enforcement. Law enforcement agencies
in other countries may also be involved,
such as for attacks launched from or directed at locations
outside the US. In addition, agencies have an
Office of Inspector General (OIG) for investigation of violation
of the law within each agency. The
incident response team should become acquainted with its
various law enforcement representatives before
an incident occurs to discuss conditions under which incidents
should be reported to them, how the
reporting should be performed, what evidence should be
collected, and how it should be collected.
Law enforcement should be contacted through designated
individuals in a manner consistent with the
requirements of the law and the organization’s procedures.
Many organizations prefer to appoint one
incident response team member as the primary POC with law
enforcement. This person should be familiar
with the reporting procedures for all relevant law enforcement
agencies and well prepared to recommend
which agency, if any, should be contacted. Note that the
organization typically should not contact
multiple agencies because doing so might result in jurisdictional
conflicts. The incident response team
75. should understand what the potential jurisdictional issues are
(e.g., physical location—an organization
based in one state has a server located in a second state attacked
from a system in a third state, being used
remotely by an attacker in a fourth state).
2.3.4.3 Incident Reporting Organizations
FISMA requires Federal agencies to report incidents to the
United States Computer Emergency Readiness
Team (US-CERT),
8
which is a governmentwide incident response organization that
assists Federal
civilian agencies in their incident handling efforts. US-CERT
does not replace existing agency response
teams; rather, it augments the efforts of Federal civilian
agencies by serving as a focal point for dealing
with incidents. US-CERT analyzes the agency-provided
information to identify trends and indicators of
attacks; these are easier to discern when reviewing data from
many organizations than when reviewing
the data of a single organization.
8
http://www.us-cert.gov/
76. http://www.us-cert.gov/
COMPUTER SECURITY INCIDENT HANDLING GUIDE
12
Each agency must designate a primary and secondary POC with
US-CERT and report all incidents
consistent with the agency’s incident response policy.
Organizations should create a policy that states
who is designated to report incidents and how the incidents
should be reported. Requirements, categories,
and timeframes for reporting incidents to US-CERT are on the
US-CERT website.
9
All Federal agencies
must ensure that their incident response procedures adhere to
US-CERT’s reporting requirements and that
the procedures are followed properly.
All organizations are encouraged to report incidents to their
appropriate CSIRTs. If an organization does
not have its own CSIRT to contact, it can report incidents to
other organizations, including Information
Sharing and Analysis Centers (ISACs). One of the functions of
these industry-specific private sector
77. groups is to share important computer security-related
information among their members. Several ISACs
have been formed for industry sectors such as Communications,
Electric Sector, Financial Services,
Information Technology, and Research and Education.
10
2.3.4.4 Other Outside Parties
An organization may want to discuss incidents with other
groups, including those listed below. When
reaching out to these external parties, an organization may want
to work through US-CERT or its ISAC,
as a “trusted introducer” to broker the relationship. It is likely
that others are experiencing similar issues,
and the trusted introducer can ensure that any such patterns are
identified and taken into consideration.
from its ISP in blocking a major network-
based attack or tracing its origin.
cking Addresses. If attacks are originating
from an external organization’s IP
address space, incident handlers may want to talk to the
designated security contacts for the
organization to alert them to the activity or to ask them to
collect evidence. It is highly recommended
78. to coordinate such communications with US-CERT or an ISAC.
software vendor about suspicious
activity. This contact could include questions regarding the
significance of certain log entries or
known false positives for certain intrusion detection signatures,
where minimal information regarding
the incident may need to be revealed. More information may
need to be provided in some cases—for
example, if a server appears to have been compromised through
an unknown software vulnerability.
Software vendors may also provide information on known
threats (e.g., new attacks) to help
organizations understand the current threat environment.
ms. An organization may
experience an incident that is similar to ones
handled by other teams; proactively sharing information can
facilitate more effective and efficient
incident handling (e.g., providing advance warning, increasing
preparedness, developing situational
awareness). Groups such as the Forum of Incident Response and
Security Teams (FIRST)
11
, the
Government Forum of Incident Response and Security Teams
79. (GFIRST)
12
, and the Anti-Phishing
Working Group (APWG)
13
are not incident response teams, but they promote information
sharing
among incident response teams.
parties directly—for example, an outside
organization may contact the organization and claim that one of
the organization’s users is attacking
9
http://www.us-cert.gov/federal/reportingRequirements.html
10
See the National Council of ISACs website at
http://www.isaccouncil.org/ for a list of ISACs.
11
http://www.first.org/
12
GFIRST is specifically for Federal departments and agencies.
(http://www.us-cert.gov/federal/gfirst.html)
13
http://www.antiphishing.org/
80. http://www.us-cert.gov/federal/reportingRequirements.html
http://www.isaccouncil.org/
http://www.first.org/
http://www.us-cert.gov/federal/gfirst.html
http://www.antiphishing.org/
COMPUTER SECURITY INCIDENT HANDLING GUIDE
13
it. Another way in which external parties may be affected is if
an attacker gains access to sensitive
information regarding them, such as credit card information. In
some jurisdictions, organizations are
required to notify all parties that are affected by such an
incident. Regardless of the circumstances, it
is preferable for the organization to notify affected external
parties of an incident before the media or
other external organizations do so. Handlers should be careful
to give out only appropriate
information—the affected parties may request details about
internal investigations that should not be
revealed publicly.
OMB Memorandum M-07-16, Safeguarding Against and
Responding to the Breach of Personally
Identifiable Information, requires Federal agencies to develop
81. and implement a breach notification
policy for personally identifiable information (PII).
14
Incident handlers should understand how their
incident handling actions should differ when a PII breach is
suspected to have occurred, such as
notifying additional parties or notifying parties within a shorter
timeframe. Specific recommendations
for PII breach notification policies are presented in OMB
Memorandum M-07-16. Also, the National
Conference of State Legislatures has a list of state security
breach notification laws.
15
2.4 Incident Response Team Structure
An incident response team should be available for anyone who
discovers or suspects that an incident
involving the organization has occurred. One or more team
members, depending on the magnitude of the
incident and availability of personnel, will then handle the
incident. The incident handlers analyze the
incident data, determine the impact of the incident, and act
appropriately to limit the damage and restore
normal services. The incident response team’s success depends
82. on the participation and cooperation of
individuals throughout the organization. This section identifies
such individuals, discusses incident
response team models, and provides advice on selecting an
appropriate model.
2.4.1 Team Models
Possible structures for an incident response team include the
following:
team handles incidents throughout the
organization. This model is effective for small organizations
and for organizations with minimal
geographic diversity in terms of computing resources.
multiple incident response teams, each
responsible for a particular logical or physical segment of the
organization. This model is effective for
large organizations (e.g., one team per division) and for
organizations with major computing
resources at distant locations (e.g., one team per geographic
region, one team per major facility).
However, the teams should be part of a single coordinated entity
so that the incident response process
is consistent across the organization and information is shared
among teams. This is particularly
83. important because multiple teams may see components of the
same incident or may handle similar
incidents.
ting Team. An incident response team provides
advice to other teams without having
authority over those teams—for example, a departmentwide
team may assist individual agencies’
teams. This model can be thought of as a CSIRT for CSIRTs.
Because the focus of this document is
14
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-
16.pdf
15
http://www.ncsl.org/default.aspx?tabid=13489
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
http://www.ncsl.org/default.aspx?tabid=13489
COMPUTER SECURITY INCIDENT HANDLING GUIDE
14
central and distributed CSIRTs, the coordinating team model is
not addressed in detail in this
document.
16
84. Incident response teams can also use any of three staffing
models:
response work, with limited technical and
administrative support from contractors.
its incident response work.
Section 2.4.2 discusses the major factors that should be
considered with outsourcing. Although
incident response duties can be divided among the organization
and one or more outsourcers in many
ways, a few arrangements have become commonplace:
– The most prevalent arrangement is for the organization to
outsource 24-hours-a-day, 7-days-a-
week (24/7) monitoring of intrusion detection sensors, firewalls,
and other security devices to an
offsite managed security services provider (MSSP). The MSSP
identifies and analyzes suspicious
activity and reports each detected incident to the organization’s
incident response team.
– Some organizations perform basic incident response work in-
house and call on contractors to
assist with handling incidents, particularly those that are more
serious or widespread.
85. incident response work, typically to
an onsite contractor. This model is most likely to be used when
the organization needs a full-time,
onsite incident response team but does not have enough
available, qualified employees. It is assumed
that the organization will have employees supervising and
overseeing the outsourcer’s work.
2.4.2 Team Model Selection
When selecting appropriate structure and staffing models for an
incident response team, organizations
should consider the following factors:
incident response staff to be available 24/7.
This typically means that incident handlers can be contacted by
phone, but it can also mean that an
onsite presence is required. Real-time availability is the best for
incident response because the longer
an incident lasts, the more potential there is for damage and
loss. Real-time contact is often needed
when working with other organizations—for example, tracing an
attack back to its source.
-Time Versus Part-Time Team Members. Organizations
with limited funding, staffing, or
incident response needs may have only part-time incident
response team members, serving as more of
86. a virtual incident response team. In this case, the incident
response team can be thought of as a
volunteer fire department. When an emergency occurs, the team
members are contacted rapidly, and
those who can assist do so. An existing group such as the IT
help desk can act as a first POC for
incident reporting. The help desk members can be trained to
perform the initial investigation and data
gathering and then alert the incident response team if it appears
that a serious incident has occurred.
as are the on-call responsibilities of most
team members. This combination makes it easy for incident
response team members to become
overly stressed. Many organizations will also struggle to find
willing, available, experienced, and
properly skilled people to participate, particularly in 24-hour
support. Segregating roles, particularly
16
Information about the Coordinating team model, as well as
extensive information on other team models, is available in a
CERT
®
/CC document titled Organizational Models for Computer
87. Security Incident Response Teams (CSIRTs)
(http://www.cert.org/archive/pdf/03hb001.pdf).
http://www.cert.org/archive/pdf/03hb001.pdf
COMPUTER SECURITY INCIDENT HANDLING GUIDE
15
reducing the amount of administrative work that team members
are responsible for performing, can
be a significant boost to morale.
required to be onsite 24/7. Organizations
may fail to include incident response-specific costs in budgets,
such as sufficient funding for training
and maintaining skills. Because the incident response team
works with so many facets of IT, its
members need much broader knowledge than most IT staff
members. They must also understand how
to use the tools of incident response, such as digital forensics
software. Other costs that may be
overlooked are physical security for the team’s work areas and
communications mechanisms.
knowledge and experience in several
technical areas; the breadth and depth of knowledge required
88. varies based on the severity of the
organization’s risks. Outsourcers may possess deeper
knowledge of intrusion detection, forensics,
vulnerabilities, exploits, and other aspects of security than
employees of the organization. Also,
MSSPs may be able to correlate events among customers so that
they can identify new threats more
quickly than any individual customer could. However, technical
staff members within the
organization usually have much better knowledge of the
organization’s environment than an
outsourcer would, which can be beneficial in identifying false
positives associated with organization-
specific behavior and the criticality of targets. Section 2.4.3
contains additional information on
recommended team member skills.
When considering outsourcing, organizations should keep these
issues in mind:
consider not only the current quality
(breadth and depth) of the outsourcer’s work, but also efforts to
ensure the quality of future work—
for example, minimizing turnover and burnout and providing a
solid training program for new
89. employees. Organizations should think about how they could
objectively assess the quality of the
outsourcer’s work.
ations are often
unwilling to give an outsourcer authority to
make operational decisions for the environment (e.g.,
disconnecting a web server). It is important to
document the appropriate actions for these decision points. For
example, one partially outsourced
model addresses this issue by having the outsourcer provide
incident data to the organization’s
internal team, along with recommendations for further handling
the incident. The internal team
ultimately makes the operational decisions, with the outsourcer
continuing to provide support as
needed.
incident response responsibilities and
restricting access to sensitive information can limit this. For
example, a contractor may determine
what user ID was used in an incident (e.g., ID 123456) but not
know what person is associated with
the user ID. Employees can then take over the investigation.
Non-disclosure agreements (NDAs) are
one possible option for protecting the disclosure of sensitive
90. information.
-Specific Knowledge. Accurate analysis
and prioritization of incidents are
dependent on specific knowledge of the organization’s
environment. The organization should provide
the outsourcer regularly updated documents that define what
incidents it is concerned about, which
resources are critical, and what the level of response should be
under various sets of circumstances.
The organization should also report all changes and updates
made to its IT infrastructure, network
configuration, and systems. Otherwise, the contractor has to
make a best guess as to how each
incident should be handled, inevitably leading to mishandled
incidents and frustration on both sides.
Lack of organization-specific knowledge can also be a problem
when incident response is not
outsourced if communications are weak among teams or if the
organization simply does not collect
the necessary information.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
16
91. tion. Correlation among multiple data sources
is very important. If the intrusion
detection system records an attempted attack against a web
server, but the outsourcer has no access to
the server’s logs, it may be unable to determine whether the
attack was successful. To be efficient, the
outsourcer will require administrative privileges to critical
systems and security device logs remotely
over a secure channel. This will increase administration costs,
introduce additional access entry
points, and increase the risk of unauthorized disclosure of
sensitive information.
response work often requires a
physical presence at the organization’s facilities. If the
outsourcer is offsite, consider where the
outsourcer is located, how quickly it can have an incident
response team at any facility, and how
much this will cost. Consider onsite visits; perhaps there are
certain facilities or areas where the
outsourcer should not be permitted to work.
-House.
Organizations that completely outsource incident
response should strive to maintain basic incident response skills
in-house. Situations may arise in
which the outsourcer is unavailable, so the organization should
92. be prepared to perform its own
incident handling. The organization’s technical staff must also
be able to understand the significance,
technical implications, and impact of the outsourcer’s
recommendations.
2.4.3 Incident Response Personnel
A single employee, with one or more designated alternates,
should be in charge of incident response. In a
fully outsourced model, this person oversees and evaluates the
outsourcer’s work. All other models
generally have a team manager and one or more deputies who
assumes authority in the absence of the
team manager. The managers typically perform a variety of
tasks, including acting as a liaison with upper
management and other teams and organizations, defusing crisis
situations, and ensuring that the team has
the necessary personnel, resources, and skills. Managers should
be technically adept and have excellent
communication skills, particularly an ability to communicate to
a range of audiences. Managers are
ultimately responsible for ensuring that incident response
activities are performed properly.
In addition to the team manager and deputy, some teams also
have a technical lead—a person with strong
93. technical skills and incident response experience who assumes
oversight of and final responsibility for the
quality of the team’s technical work. The position of technical
lead should not be confused with the
position of incident lead. Larger teams often assign an incident
lead as the primary POC for handling a
specific incident; the incident lead is held accountable for the
incident’s handling. Depending on the size
of the incident response team and the magnitude of the incident,
the incident lead may not actually
perform any actual incident handling, but rather coordinate the
handlers’ activities, gather information
from the handlers, provide incident updates to other groups, and
ensure that the team’s needs are met.
Members of the incident response team should have excellent
technical skills, such as system
administration, network administration, programming, technical
support, or intrusion detection. Every
team member should have good problem solving skills and
critical thinking abilities. It is not necessary
for every team member to be a technical expert—to a large
degree, practical and funding considerations
will dictate this—but having at least one highly proficient
person in each major area of technology (e.g.,
94. commonly attacked operating systems and applications) is a
necessity. It may also be helpful to have
some team members specialize in particular technical areas,
such as network intrusion detection, malware
analysis, or forensics. It is also often helpful to temporarily
bring in technical specialists that aren’t
normally part of the team.
It is important to counteract staff burnout by providing
opportunities for learning and growth. Suggestions
for building and maintaining skills are as follows:
COMPUTER SECURITY INCIDENT HANDLING GUIDE
17
and expand
proficiency in technical areas and security
disciplines, as well as less technical topics such as the legal
aspects of incident response. This should
include sending staff to conferences and encouraging or
otherwise incentivizing participation in
conferences, ensuring the availability of technical references
that promote deeper technical
understanding, and occasionally bringing in outside experts
(e.g., contractors) with deep technical
95. knowledge in needed areas as funding permits.
ve team members opportunities to perform other tasks,
such as creating educational materials,
conducting security awareness workshops, and performing
research.
response team, and participate in
exchanges in which team members temporarily trade places with
others (e.g., network administrators)
to gain new technical skills.
uninterrupted time off work (e.g.,
vacations).
a mentoring program to enable senior technical staff
to help less experienced staff learn
incident handling.
members discuss how they would handle
them. Appendix A contains a set of scenarios and a list of
questions to be used during scenario
discussions.
Incident response team members should have other skills in
addition to technical expertise. Teamwork
skills are of fundamental importance because cooperation and
coordination are necessary for successful
96. incident response. Every team member should also have good
communication skills. Speaking skills are
important because the team will interact with a wide variety of
people, and writing skills are important
when team members are preparing advisories and procedures.
Although not everyone within a team needs
to have strong writing and speaking skills, at least a few people
within every team should possess them so
the team can represent itself well in front of others.
2.4.4 Dependencies within Organizations
It is important to identify other groups within the organization
that may need to participate in incident
handling so that their cooperation can be solicited before it is
needed. Every incident response team relies
on the expertise, judgment, and abilities of others, including:
policy, budget, and staffing. Ultimately,
management is held responsible for coordinating incident
response among various stakeholders,
minimizing damage, and reporting to Congress, OMB, the
General Accounting Office (GAO), and
other parties.
may be needed during certain stages of
97. incident handling (prevention, containment, eradication, and
recovery)—for example, to alter network
security controls (e.g., firewall rulesets).
administrators) not only have the needed
skills to assist but also usually have the best understanding of
the technology they manage on a daily
basis. This understanding can ensure that the appropriate
actions are taken for the affected system,
such as whether to disconnect an attacked system.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
18
response plans, policies, and procedures to
ensure their compliance with law and Federal guidance,
including the right to privacy. In addition, the
guidance of the general counsel or legal department should be
sought if there is reason to believe that
an incident may have legal ramifications, including evidence
collection, prosecution of a suspect, or a
lawsuit, or if there may be a need for a memorandum of
understanding (MOU) or other binding
agreements involving liability limitations for information
98. sharing.
and impact of an incident, a need may
exist to inform the media and, by extension, the public.
n employee is suspected of causing an
incident, the human resources
department may be involved—for example, in assisting with
disciplinary proceedings.
that incident response policies and
procedures and business continuity processes are in sync.
Computer security incidents undermine the
business resilience of an organization. Business continuity
planning professionals should be made
aware of incidents and their impacts so they can fine-tune
business impact assessments, risk
assessments, and continuity of operations plans. Further,
because business continuity planners have
extensive expertise in minimizing operational disruption during
severe circumstances, they may be
valuable in planning responses to certain situations, such as
denial of service (DoS) conditions.
security incidents occur through
breaches of physical security or involve coordinated logical and
physical attacks. The incident
99. response team also may need access to facilities during incident
handling—for example, to acquire a
compromised workstation from a locked office.
2.5 Incident Response Team Services
The main focus of an incident response team is performing
incident response, but it is fairly rare for a
team to perform incident response only. The following are
examples of other services a team might offer:
team often assumes responsibility for
intrusion detection.
17
The team generally benefits because it should be poised to
analyze incidents
more quickly and accurately, based on the knowledge it gains of
intrusion detection technologies.
sue advisories within
the organization regarding new
vulnerabilities and threats.
18
Automated methods should be used whenever appropriate to
disseminate
information; for example, the National Vulnerability Database
(NVD) provides information via XML
and RSS feeds when new vulnerabilities are added to it.
100. 19
Advisories are often most necessary when
new threats are emerging, such as a high-profile social or
political event (e.g., celebrity wedding) that
attackers are likely to leverage in their social engineering. Only
one group within the organization
should distribute computer security advisories to avoid
duplicated effort and conflicting information.
resource multipliers—the more the users
and technical staff know about detecting, reporting, and
responding to incidents, the less drain there
17
See NIST SP 800-94, Guide to Intrusion Detection and
Prevention Systems (IDPS) for more information on IDPS
technologies. It is available at
http://csrc.nist.gov/publications/PubsSPs.html#800-94.
18
Teams should word advisories so that they do not blame any
person or organization for security issues. Teams should meet
with legal advisors to discuss the possible need for a disclaimer
in advisories, stating that the team and organization has no
liability in regard to the accuracy of the advisory. This is most
pertinent when advisories may be sent to contractors,
101. vendors, and other nonemployees who are users of the
organization’s computing resources.
19
http://nvd.nist.gov/
http://csrc.nist.gov/publications/PubsSPs.html#800-94
http://nvd.nist.gov/
COMPUTER SECURITY INCIDENT HANDLING GUIDE
19
should be on the incident response team. This information can
be communicated through many
means: workshops, websites, newsletters, posters, and even
stickers on monitors and laptops.
participate in information sharing groups, such
as ISACs or regional partnerships. Accordingly, incident
response teams often manage the
organization’s incident information sharing efforts, such as
aggregating information related to
incidents and effectively sharing that information with other
organizations, as well as ensuring that
pertinent information is shared within the enterprise.
2.6 Recommendations
102. The key recommendations presented in this section for
organizing a computer security incident handling
capability are summarized below.
Organizations should be prepared to respond
quickly and effectively when computer security defenses are
breached. FISMA requires Federal
agencies to establish incident response capabilities.
Create an incident response policy. The incident response
policy is the foundation of the incident
response program. It defines which events are considered
incidents, establishes the organizational
structure for incident response, defines roles and
responsibilities, and lists the requirements for
reporting incidents, among other items.
response policy. The incident response
plan provides a roadmap for implementing an incident response
program based on the organization’s
policy. The plan indicates both short- and long-term goals for
the program, including metrics for
measuring the program. The incident response plan should also
indicate how often incident handlers
should be trained and the requirements for incident handlers.
103. procedures provide detailed steps for
responding to an incident. The procedures should cover all the
phases of the incident response
process. The procedures should be based on the incident
response policy and plan.
-related
information sharing. The
organization should communicate appropriate incident details
with outside parties, such as the media,
law enforcement agencies, and incident reporting organizations.
The incident response team should
discuss this with the organization’s public affairs office, legal
department, and management to
establish policies and procedures regarding information sharing.
The team should comply with
existing organization policy on interacting with the media and
other outside parties.
organization. Federal civilian
agencies are required to report incidents to US-CERT; other
organizations can contact US-CERT
and/or their ISAC. Reporting is beneficial because US-CERT
and the ISACs use the reported data to
provide information to the reporting parties regarding new
threats and incident trends.
Consider the relevant factors when selecting an incident
104. response team model. Organizations
should carefully weigh the advantages and disadvantages of
each possible team structure model and
staffing model in the context of the organization’s needs and
available resources.
team. The credibility and
proficiency of the team depend to a large extent on the technical
skills and critical thinking abilities of
its members. Critical technical skills include system
administration, network administration,
programming, technical support, and intrusion detection.
Teamwork and communications skills are
COMPUTER SECURITY INCIDENT HANDLING GUIDE
20
also needed for effective incident handling. Necessary training
should be provided to all team
members.
to participate in incident handling.
Every incident response team relies on the expertise, judgment,
and abilities of other teams, including
management, information assurance, IT support, legal, public
affairs, and facilities management.