IncidentResponsev2

Task Provide cyber security improvement recommendations to Mission Partner (MP)

Conditions

Given an IR Team deployed supporting a designated MP in Cyber Incident Recovery.

Standards

Upon moving into the Recovery Phase, the DCO-E should review their documentation and findings (from previous port, network, service, and vulnerability scans) to provide improvement recommendations to the MP. These recommendations may include the following areas:

• Unauthorized Devices
• Unauthorized Software
• Hardware and Software Configurations
• Vulnerability Assessments and Remediation
• Administrative Privileges
• Maintenance, Monitoring, and Analysis of Logs
• Email and Web Browser
• Malware Defense
• Management of Network Ports
• Data Recovery
• Network Device Configurations
• Boundary Defense
• Data Protection
• Need to Know Access
• Wireless Access
• User Account Management
• User Cyber Security Training
• Application Software Security
• Incident Response Management
• Cyber Security Exercises

The IR Team should provide recommendations in a format agreed upon with the supported MP.

End State

IR Team provides written recommendations to the supported MP on improving their cyber security posture (minimum focus on the network defense plan).

Notes

Providing cyber security improvement recommendations begins with solid documentation of vulnerabilities identified upon arriving on site.

Manual Steps

Running Scripts

Dependencies

References

NIST Cyber Security Framework
NIST SP 800-184: Guide to Cyber Event Recovery
US CERT: Cyber Resilience Review Self Assessment Package

Revision History