Using NIST’s SP 800-61 “Computer Security Incident Handling Guide), develop an Incident Response Plan (IRP) that will address one or more of your security risks that you identified in your Risk Assessment. Google and find other actual IRPs on the Internet and review to see what type of information is included. At a minimum, your plan should include the following sections:
· Roles: who will respond to the incident and notification/escalation procedures? Who is responsible for writing the IRP?
· Training: specify a training frequency
· Plan testing: How (and how often) will you test the plan?
· Incidents: What defines an “incident”? Define some security incidents that you may encounter on your network.
· Incident Notification: What happens when an incident is detected?
· Reporting/tracking: How will you report and track incidents? What about capturing “lessons learned”?
· Procedures: Select one of your security risks identified in your Risk Assessment. Prepare procedures for addressing the incident in the event that the incident actually happens. In this section, address the following subsections specific to your risk that you are identifying.
· Detection and Analysis
· Recovery and Post-Incident Activity (see Appendix A)
Note: there are several scenarios in the appendix of the NIST document. You can use, for instance, Scenario 11: Unknown Wireless Access Point to help develop the response procedures for wireless access, as an example. Use any of these to help flesh out your procedures but the procedure you agreed to use must be one that addresses a risk you identified in your Risk Assessment.