VIIR-1

VIIR-1 Incident Response Planning

Overview

An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.

MAC / CONF	Impact	Subject Area
MACIII	Medium	Vulnerability and Incident Management

Details

Threat
1. Computer network attack. 2. Denial/degradation of service, including distributed denial of service. 3. Unauthorized disclosure of non-public information (compromise of confidentiality). 4. Unauthorized modification to and/or destruction of data (compromise of integrity, availability). 5. Malicious code (viruses, worms, Trojan horses, unauthorized mobile code). 6. Insider threats (privilege escalation; unauthorized viewing, copying, printing, e-mailing, modification). 7. Plan must be exercised to ensure appropriateness and completeness of actions; training and readiness of personnel to recognize, respond to, contain/limit damage from, recover from and report incident.

Threat

1. Computer network attack.
2. Denial/degradation of service, including distributed denial of service.
3. Unauthorized disclosure of non-public information (compromise of confidentiality).
4. Unauthorized modification to and/or destruction of data (compromise of integrity, availability).
5. Malicious code (viruses, worms, Trojan horses, unauthorized mobile code).
6. Insider threats (privilege escalation; unauthorized viewing, copying, printing, e-mailing, modification).
7. Plan must be exercised to ensure appropriateness and completeness of actions; training and readiness of personnel to recognize, respond to, contain/limit damage from, recover from and report incident.

Guidance
1. An Incident Response Plan exists that covers foreseeable categories of incidents. 2. The general Incident Response Plan is supplemented by specific Tactics, Techniques and Procedures (TTPs), as needed. 3. Plan, TTPs and reporting procedures are in accordance with CJCSM 6510.01 CH-1 Enclosure B Appendix B and NSTISSD No. 503. 4. Plan, TTPs are reporting procedures include evaluation of and recommended change to INFOCON if the specific situation warrants. 5. An Incident Response Team is identified by billet and/or by name. 6. Personnel are assigned in writing to the Incident Response Team. 7. Assigned personnel have received necessary training and/or certifications. 8. Command has established or subscribes to a certified Computer Network Defense Service Provider (CNDSP). 9. Procedures include keeping Incident Response Team personnel aware of DOD Computer Network Defense situation including INFOCON, recent IAV Alerts&Bulletins, and Attack Sensing & Warning in accordance with DODI O-8530.2 Enclosures (3) and (4). 10. The Plan includes internal and external notification requirements, including public affairs and law enforcement notification where appropriate. 11. User and system administrator training includes recognition of possible incidents and actions to notify the Incident Response Team. 12. Incident Response Plan procedures preserve forensic evidence and chain-of-custody. 13. The Plan is exercised at least annually. 14. Command critiques exercises, develops Lessons Learned, identifies and implements corrective actions derived from exercises.

Guidance

1. An Incident Response Plan exists that covers foreseeable categories of incidents.
2. The general Incident Response Plan is supplemented by specific Tactics, Techniques and Procedures (TTPs), as needed.
3. Plan, TTPs and reporting procedures are in accordance with CJCSM 6510.01 CH-1 Enclosure B Appendix B and NSTISSD No. 503.
4. Plan, TTPs are reporting procedures include evaluation of and recommended change to INFOCON if the specific situation warrants.
5. An Incident Response Team is identified by billet and/or by name.
6. Personnel are assigned in writing to the Incident Response Team.
7. Assigned personnel have received necessary training and/or certifications.
8. Command has established or subscribes to a certified Computer Network Defense Service Provider (CNDSP).
9. Procedures include keeping Incident Response Team personnel aware of DOD Computer Network Defense situation including INFOCON, recent IAV Alerts&Bulletins, and Attack Sensing & Warning in accordance with DODI O-8530.2 Enclosures (3) and (4).
10. The Plan includes internal and external notification requirements, including public affairs and law enforcement notification where appropriate.
11. User and system administrator training includes recognition of possible incidents and actions to notify the Incident Response Team.
12. Incident Response Plan procedures preserve forensic evidence and chain-of-custody.
13. The Plan is exercised at least annually.
14. Command critiques exercises, develops Lessons Learned, identifies and implements corrective actions derived from exercises.

References

DoDI O-8530.2, Support to Computer Network Defense, 09 March 2001
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01 (Change 1, 10 Aug 2004), Enclosure B, Appendix B