Module 9: Incident Response
Identify the choice that best completes the statement or answers the question.
____ 1. Which of the following is not a common type of incident in a SCADA/ICS?
|a. Unauthorized access to system controls||c. Vendor goes out of business and can no longer supply critical components|
|b. A worm infects a network at a nuclear power plant||d. Vendor improperly performs a security assessment, resulting in loss of system availability|
____ 2. In which phase of NIST’s SP 800-61 would organizations prioritize response to multiple threat actions?
|a. Preparation||c. Containment Eradication and Recovery|
|b. Detection and Analysis||d. Post-Incident Activity|
Match each core capability of the National Response Framework with its objective.
|A. Planning||H. Mass Care Services|
|B. Public Information and Warning||I. Mass Search and Rescue Operations|
|C. Operational Coordination||J. On-Scene Security and Protection|
|D. Critical Transportation||K. Operational Communications|
|E. Environmental Response/Health and Safety||L. Public and Private Services and Resources|
|F. Fatality Management Services||M. Public Health and Medical Services|
|G. Infrastructure Systems||N. Situational Assessment|
____ 3. Ensure the availability of guidance and resources
____ 4. Relay information on threats and hazards
____ 5. Provide life-sustaining services, including food and shelter
____ 6. Provide communications
____ 7. Establish and maintain an operational structure and process
____ 8. Provide decision-makers with information
____ 9. Deliver search and rescue operations
____ 10. Provide transportation for response
____ 11. Provide essential services
____ 12. Engage the community to develop response approaches
____ 13. Provide lifesaving medical treatment
____ 14. Stabilize infrastructure
____ 15. Provide law enforcement and security
____ 16. Body recovery and victim identification services
Match the following sections of the ICS Cyber Incident Response Plan with their contents.
|A. Overview, Goals, and Objectives||F. Response Actions|
|B. Incident Description||G. Communications|
|C. Incident Detection||H. Forensics|
|D. Incident Notification||I. Additional Sections|
|E. Incident Analysis|
____ 17. Includes media contacts
____ 18. Incident type classification
____ 19. Addresses how an incident is prioritized and escalated
____ 20. Addresses how to evaluate and analyze an incident
____ 21. Other stuff
____ 22. Discusses business objectives
____ 23. The process for collecting, examining, and analyzing incident data, with an eye to legal action
____ 24. Defines the procedures used for each type of incident
____ 25. Describes how an incident is identified and reported
26. Define incident containment and provide an example of how it would be applied to an incident.
27. Discuss how the response strategy for an incident that was sourced from within the organization would differ from one sourced from outside of the organization.
For the answers to these questions, email your name, the name of your college or other institution, and your position there to firstname.lastname@example.org. CyberWatch West will email you a copy of the answer key.