Incident Response (IR) / Change Control (CC) Jose L. Orozco.
8
Incident Response (IR) / Change Control (CC) Jose L. Orozco
-
Upload
mary-nichols -
Category
Documents
-
view
212 -
download
0
Transcript of Incident Response (IR) / Change Control (CC) Jose L. Orozco.
Incident Response (IR) /Change Control (CC)
Jose L. Orozco
IR /CC• Three Forms and One Roster
• Initial Incident Response Notification Form• Incident Response Closure Form• Change Management Form • Change Control Roster
• IR Detection and Determination and Change Control Deadlines• Within 2 hours of detection report incident using the Initial Incident Response Notification Form• Within 1 hour Emergency change control requires all changes to be submitted to the Change Control Manager• 15 minutes prior to Change Control Meeting• Change Control Roster for rapid change protocol—logged and reported after the fact• Once the CSIRT declares the incident resolved, and all systems returned to normal, the team must complete the Incident Response Closure Form
• Scoring• MAY Mitigate up to 50% of the Penalties associated with the actions
• Successful Detection, Prevention, Resolution, and Accurate Reporting • Example:
• Red Team hack successfully compromises a server resulting in 200 points lost for the team• BUT team detects the attack, repulses the attacker, recovers control of the system, and prevents subsequent attack, submits both IR forms and appropriate Change
management form• Team MAY receive up to 100 points back if reported in a timely manner
• Penalties• Minor infractions (50 points), failure to submit emergency change notice (20 points), failure to specify routine vs. emergency change (125 points)
CC• Change Types
• Change Type 1 - Prior Approval• Prior Approval of the Change Control Committee (CCC)
• Fill out Change Management Form and submit 15 minutes before meeting• Get approval at Change Control Meeting
• Change Type 2 - Emergency Change Notification• Change that requires notification to the CCC after the fact of implementation
• Change Type 3 - Non Reportable Change• Change that does not require any notification to the CCC
• Change Type 4 - Unknown Change Impacts• Change that is uncertain if it requires CCC approval
• Periods of Rapid Change• Considered Change Type 3 but require Regional Manager (SECCDC Team Leader) approval
1 hr Time Limit
Change Control Roster for rapid change protocol—logged and reported after the fact
Group is told by CIO that it is a Period of Rapid Change.
