ICTSAS524 Develop, implement and evaluate an incident response plan

Assessment 2: Project

Assessment Overview

Scenario

Skillage IT was established in 1996 to provide information technology solutions for small to medium-sized businesses. You can learn more about Skillage IT from their website.

You have joined Skillage IT and are working within their ICT department as an ICT Technician. As part of your job role, you are required to back up the system, restore information, secure the system and information, and use licensed software in a stand-alone or client-server environment.

In the previous project, your supervisor Kim asked you to develop an incident response plan.

Project Objectives

The purpose of this assessment is to develop and implement an incident response plan.

The following are the goals and objectives to complete this assessment task:

▢ Prepare to develop an incident response plan.

▢ Identify and document organisational incident response plan requirements.

▢ Identify and document incident response team services according to organisational requirements.

▢ Identify incident response plan structure according to organisational requirements.

▢ Determine and document the alignment of the organisation’s existing incident response plan against identified requirements.

▢ Submit documentation to required personnel, seek and respond to feedback.

▢ Develop the incident response plan.

▢ Develop and document incident management policy according to task requirements.

▢ Create incident response plans according to organisational requirements and security policies and procedures.

▢ Develop incident handling and reporting procedures.

▢ Create incident response exercises, red-teaming activities, staffing and training requirements.

▢ Develop a procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements.

▢ Establish and document incident the response plan.

▢ Implement the incident response plan.

▢ Apply response actions to reported security incident according to incident response plan and task requirements.

▢ Assist in collecting, processing, and preserving evidence according to requirements.

▢ Execute incident response plans, red-teaming activities, and incident response exercises.

▢ Document security incident response and actions according to task requirements.

▢ Collect, analyse and report incident management measures according to task requirements.

▢ Evaluate incident response plans.

▢ Assess and document efficiency and effectiveness of incident response plans activities.

▢ Examine and document the effectiveness of red teaming and incident response tests, training and exercises.

▢ Assess the effectiveness of communication between incident response team and required internal and external organisations.

▢ Determine and document response improvement activities.

▢ Submit documentation to required personnel and obtain final task sign off.

Workplace Option: Alternatively, you can use your workplace environment to complete this assessment:

NOTE: You will be required to submit all supporting resources that are similar or equal to the documents that are used in the Simulated Case Study. Without the submission of these supporting documents and resources, your trainer/assessor may deem your submission Not Yet Satisfactory.

Upskilled complies with all Privacy legislation. All submitted documents are confidential and will not be shared with other organisations or 3rd party vendors.

This is an individual assessment.

To ensure your responses are satisfactory, you should consult a range of learning resources and other information such as textbooks, and learner resources in Canvas, etc.

All questions must be answered to gain competency for this assessment.

This assessment task requires you to complete different assessment activities as per the given scenario.

You must use the given templates while giving the answers.

Your Trainer/Assessor will assess your work according to the given performance criteria/ performance checklist.

If you have any questions about the project or the resources required to complete this assessment contact your Trainer/Assessor.

Your Role and Responsibilities

As part of your job role, you have the following job responsibilities:

▢ Monitors outcomes of decisions, considering results and identifying key concepts and principles that may be adaptable in the future

▢ Interprets, analyses and documents numerical and technical system data

▢ Uses mathematical equations to calculate data for technical reports

▢ Uses listening and questioning techniques to confirm task requirements and relevant information using succinct language

▢ Analyses textual information and data to determine necessary actions

▢ Prepares required workplace documentation detailing processes and outcomes using cohesive language

▢ Uses a variety of relevant communication tools and strategies in building and maintaining effective working relationships

▢ Influences and fosters a collaborative culture facilitating a sense of commitment and workplace cohesion

▢ Understands diversity and seeks to integrate diversity into the work context for managing change, making decisions and achieving shared outcomes

▢ Monitors and reviews the organisation's policies, procedures and adherence to legislative requirements to implement and manage change

▢ Works autonomously, making high-level decisions to achieve and improve organisational goals

▢ Develops and implements strategies that ensure organisational policies, procedures and regulatory requirements are met

▢ Operates from a broad conceptual plan, developing the operational detail in stages, regularly reviewing priorities and performance during implementation, and identifying and addressing issues

Roles and Responsibilities of Participants

Throughout the project, you will be required to communicate with your participants, either face to face or remotely through teleconferencing or the use of social media technologies or applications.

Your friends, family members or fellow students (befriend students in the course discussion forums) will play the part of participants in the variety of roles for each of the activities. All participants need to be (18) eighteen years of age or older. They can be the same people or differing people for each of the activities. The general role your participant will play is to:

▢ Assist you in completing the project on time.

▢ Be active and engaging participants helping to support you to perform at your best.

Participant: Supervisor (Kim)

The supervisor is the individual who supervises you in your job role. They belong to a higher rank or status. Their role and responsibilities are:

▢ Assist you to complete the project on time

▢ Help you to clarify relevant information

▢ Review the incident response plan and provide feedback

▢ Provide final sign off for incident response plan

Assessment requirements

Successful submission of the project means that you submit evidence for all Activities listed below. You are to submit this document and all documents listed in the Assessment Checklist at the end of this document:

▢ Activity 1: Respond to an incident (Written)

▢ Activity 2: Evaluate incident response plans (Written)

Important: You must successfully complete Assessment 2 (ICTSAS524IA_02) before commencing this assessment.

Assessment Activities

Activity 1: Respond to an incident (Written)

Your supervisor Kim has notified you about two (2) incidents. You must implement your incident response plan and respond appropriately to both incidents.

▢ Incident 1: Worm and Distributed Denial of Service (DDoS) Agent Infestation

On Tuesday morning, a staff member in the Sales Team opened a file attached to an email received. It turned out the attachment contained a ‘worm’ that infected not only the staff member’s PC, but it also spread to other PCs in the Sales office. When the worm infects a host, it can copy itself to open Windows shares and installs a DDOS agent. The worm already caused widespread infections before antivirus became available several hours after the worm started to spread.

For this assessment activity, you must complete the following template:

Incident Response – Worm and DDOS Agent Infestation

How would the incident response team identify all the infected hosts (20-50 words)?

How should Skillage IT attempt to prevent the worm from entering the organisation (20-50 words)?

How would Skillage IT attempt to prevent the worm from being spread by infected hosts (20-50 words)?

How would Skillage IT attempt to patch all vulnerable machines (20-50 words)?

How will the incident response team keep the organisation’s user informed about the status of the incident (20-50 words)?

What additional measures would the incident response team perform for hosts that are not currently connected to the network (e.g., staff on annual leave) (20-50 words)?

Explain and provide evidence of your response actions required for this incident according to your incident response plan (50-100 words)?

Prepare an email to respond and report incidents to Kim your supervisor (50-100 words). Include evidence of your email.

Assist in collecting, processing and preserving evidence. Include evidence of what and how information has been collected, processed and preserved (50-100 words).

Prepare a response implementation and execution plan (100-200 words)?

You need to train staff to deal with this type of incident. Provide evidence of executing a red-teaming activity and incident response exercise for this scenario (50-100 words)?

Prepare a lessons learned document straight after the time of carrying out the incident response activities (50-100 words)?

Describe how you collected, analysed and reported the incident management measures (50-100 words)?

▢ Incident 2: Unauthorised Access to Payroll Records

On Thursday evening, the security team receive a call from a payroll administrator who saw an unknown person leave her office and run from the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident.

For this assessment activity, you must complete the following template:

Incident Response – Unauthorised Access to Payroll Records

How would the incident response team determine what actions have been performed during the incident (20-50 words)?

How would the incident be handled differently if the payroll administrator had recognised the person leaving her office as a former payroll department employee (20-50 words)?

How would the incident be handled differently if the team had reason to believe that the person was a current employee (20-50 words)?

How would the incident be handled differently if the security team determined that the person had used social engineering techniques to gain physical access to the building (20-50 words)?

How would the incident be handled differently if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrator’s user ID (20-50 words)?

How would the incident be handled differently if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier (20-50 words)?

Explain and provide evidence of your response actions required for this incident according to your incident response plan (50-100 words)?

Prepare an email to respond and report incidents to Kim your supervisor (50-100 words). Include evidence of your email.

Assist in collecting, processing and preserving evidence. Include evidence of what and how information has been collected, processed and preserved (50-100 words).

Prepare a response implementation and execution plan (100-200 words)?

You need to train staff to deal with this type of incident. Provide evidence of executing a red-teaming activity and incident response exercise for this incident (50-100 words)?

Prepare a “lessons learned” document straight after the time of carrying out the incident response activities (50-100 words)?