Incident Response Checklist

Assignment Purpose: To support all incident response phases, research and create an Incident Response (IR) Checklist “Form”. The form should consider the planning, detection; analysis; containment; eradication; recovery; and post incident activity IR phases that will support future planning activities. What questions should you ask and collect during an incident through all the incident response phases?
Ensure the IR Form meets these characteristics:
• Save assignment in Word or Excel format (first_lastname_A1.doc or .xlsx), Submit to Dropbox on the INFA 720 D2L Course Site.
• Use the same font type and size (Heading and Body font sizes can be different)
• The IR Checklist “Form” should be attractive, intuitive, and easily sequentially followed. Something you would submit to your employer, manager, director, CEO or a Board of Directors.
• Use of tabular formatted form is required.
• In addition to your research. NIST IR Process see NIST SP 800-61 Rev. 2 https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final This should aid you in the design of your form.
o TIP: Use “Google Dorks” to research examples. ie. (“incident response” OR “ir” OR “cyber incident response”) AND (“checklist” OR “form” OR “cheat sheet”) AND (“cyber” OR “cybersecurity” OR “information security” OR “itsec”) -“plan”
• Note: If you already have an IR Form you use at work or created for another class, this would be a good time to review the form and make changes to the form based on your research.
• See example screenshot of the beginning of IR Form at the end of the assignment document.
• Provide at least 10 References you used to build the IR Checklist form. Can include online resources; academic papers; industry blogs, posters, checklists and papers, blogs; textbooks; and class PowerPoint presentations.

Form Attributes must contain at a minimum all of the following attributes, but more is expected:
• Incident Number
• Date and Time Response Started
• Brief Summary/Synopsis of Incident
• Relevant Contact Information
o Responder
o Individual Reporting the Incident
o Other relevant contact info
• Escalation and Notification Contact Information
o Supervisor
o Management
• Physical or logical location of incident
o If theft – Police report ID?
• Information on compromised systems (maybe a good table)
o IP address
o Computer Name
o OS
o Additional info on software
o Did it contain PII?
• Type of Incident (Maybe a good checklist)
o Malware
 Malware Type (trojan, backdoor, ransomware, worm,…
o DDoS
o Web Application Attack
o And other common types of attacks
• If Malicious code (maybe a good table again)
o Name(s) of malware – Vendors like Symantec, Trend, … name malware
o URL and IP information specific to the malware
o Malware impact characteristics
o Actions taken (system taken offline, scanned cleaned, reimaged, analyzed, submitted to vendor for further analysis)
• Number of compromised systems: ranges: 1 to 50; 50 to 100; 100 to 1000; More than 1000
• Timelines of IR activities
o Date
o Time
o Details
• Analysis
o Impact on IT services
o IT’s response to the Incident.
o Next Steps
o Changes made.
o Current state of the incident (active, open, closed)
• Chain of Custody
• Communications Record (phone calls, emails, texts, etc…) Date, time and description.
o Can be included in timeline of IR activities but sometimes it is nice to have this separate.
• Lessons Learned Summary
o Lesson learned.
o Actions submitted to backlog to work.
• Revision Table: Date revised; Who Revised; and Revision description.
Make this your own work, do not cut and paste an IR Form found on the Internet as your assignment. It is OK to use forms found as guides, just don’t copy them in their entirety. Be creative. If you have any questions, comments or concerns relating to the assignment please let me know.