Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.1.2. Build an IR Capability<br />
IR planning requires the identification <strong>of</strong> assets to be protected by the plan,<br />
determination <strong>of</strong> the strategies applicable to the execution <strong>of</strong> the plan and the<br />
documentation <strong>of</strong> the plan itself:<br />
8.1.2.a IR Purpose and Goals<br />
• Decide if IR will focus on monitoring and reporting versus<br />
active response.<br />
• Decide if IR will focus on externally sourced incidents,<br />
internally sourced incidents or both.<br />
8.1.2.b IR Communications<br />
• The following roles should be contacted during IR activities:<br />
o State <strong>of</strong> Kansas Chief Information Security Officer.<br />
o Senior management <strong>of</strong> the affected agency.<br />
o Legal and compliance departments <strong>of</strong> the affected<br />
agency.<br />
o Public relations department <strong>of</strong> the affected agency.<br />
o System owners for directly affected systems.<br />
o Data owners/custodians for directly affected data.<br />
o System owners for indirectly (upstream or<br />
downstream) affected systems.<br />
o Data owners/custodians for indirectly (upstream or<br />
downstream) affected data.<br />
8.1.2.c IR Supporting Strategies<br />
• Review the results <strong>of</strong> risk and security assessments.<br />
• Review the results <strong>of</strong> vulnerability and patch management<br />
operations.<br />
• Review the results <strong>of</strong> security architecture management<br />
operations.<br />
8.1.2.d IR Tools and Resources<br />
• Monitoring resources may include:<br />
o Intrusion detection systems.<br />
o Network sniffers and traffic analyzers.<br />
o Log aggregation and management systems.<br />
• Analysis resources may include:<br />
o Dedicated portable workstations.<br />
o Forensics analysis s<strong>of</strong>tware.<br />
o Recordable media.<br />
o Asset and configuration inventories.<br />
• Response resources may include:<br />
o Dedicated communications devices.<br />
o Contact information for all stakeholders.<br />
26