Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
8.2. Maintain Records<br />
8.1.4.2 Analyze Discovered Threats<br />
Once incidents have been detected analysis is required to determine<br />
the appropriate manner in which to proceed with subsequent<br />
incident response processes:<br />
• Investigate discovered precursors and indicators to determine<br />
if a valid threat may occur, is occurring or has occurred.<br />
• Fully document all aspects <strong>of</strong> the incident and incident<br />
response.<br />
• Prioritize the Agency’s response to incidents according to<br />
potential impact.<br />
• Notify appropriate individuals within the organization once<br />
the threat has been validated and prioritized.<br />
8.1.4.3 Contain Threats to Minimize Loss and Maintain Operations<br />
Once incidents have been understood and response prioritized the<br />
threat associated with the incident must be contained to prevent<br />
impact to other systems and thus minimize overall impact:<br />
• Select a containment strategy appropriate to the incident, the<br />
impacted system and the available resources.<br />
• Gather evidence to allow for further investigation, as the<br />
incident progresses and once it is complete, as well as<br />
potential prosecution.<br />
• Where time and resources permit, identify the attacker to<br />
help stop the incident as well as to prepare for potential<br />
prosecution.<br />
8.1.4.4 Eradicate Contained Threats and Recover to Normal Operations<br />
After threats have been fully contained they must be fully removed<br />
from impacted systems and those systems must be returned to<br />
normal operational status:<br />
• Eradicate all non-evidentiary remnants <strong>of</strong> incident.<br />
• Recover affected systems and system components to preincident<br />
status and return to normal operations.<br />
• Maintain heightened monitoring <strong>of</strong> the affected system(s) for<br />
a period <strong>of</strong> time subsequent to an incident to ensure there are<br />
no lingering impacts.<br />
8.1.4.5 Perform Post-Recovery Tasks<br />
When the threats associated with an incident have been verifiably<br />
removed from the system, follow-up work must be performed:<br />
• Retain evidence according to predetermined standards.<br />
• Collect lessons learned and prepare a formal incident<br />
response report.<br />
19