Incident Response and Learning from Past Incidents Training Module

Incident Response and Learning From Past Incidents Training Module

Security Incidents.

And response.

Next Scene

IHS’s security relies on your watchful eye! This module will describe your role in incident response.

Next Scene

Event or Incident?

A suspicious event is something that MAY violate security or privacy policies, Acceptable Use, or the Rules of Behavior (RoB), or MAY endanger the preservation of PII or PHI.

An incident is a KNOWN or IMMINENT THREAT of a policy violation or an actual breach of PII or PHI.

Your IT staff decides whether it’s an event or incident.

Next Scene

Cyber criminals often try to compromise information systems by infecting them with malware.

Next Scene

What are the signs of a system compromise?

-  Unfamiliar emails in your Sent folder

-  System logs indicating you logged in when you didn’t

-  Websites in your browser history you didn’t visit

-  Unexpected increase in Windows error messages

Next Scene

Other signs include

-  Your computer continually reboots.

-  Files are corrupted or inaccessible.

-  Unusual graphics or messages are displayed.

-  Programs run unusually slow or not at all.

-  CPU usage is unusually high for a sustained period.

Next Scene

Man: What am I going to do now!?

Next Scene

If your computer is acting strangely and you suspect it has been compromised…

Stop working on the system immediately!

Contact your local IT staff for guidance, which might include:

-  Do NOT reboot or power down the system.

-  Do NOT log off the system.

-  Do NOT copy files or back up the system.

-  Do lock the machine if possible (screen saver lock).

Next Scene

Make an informal handwritten log of the event.

Include the

·  who

·  what

·  when

·  where

·  why

·  and how of the incident

·  (and any other information you feel may be useful).

Next Scene

Here’s how to report a suspected or actual incident:

When in doubt, REPORT IT! Immediately notify your local IT staff DIRECTLY.

Never use the infected computer to report an attack. Use a separate, unaffected system to report the incident using the online incident reporting form.

Next Scene

Your local IT staff will diagnose and remediate the threat.

Next Scene

Man: You may be required to complete the online incident reporting form (if you haven’t already)

Next Scene

Dear IT Department, I would like to report an incident…

Next Scene

An online Incident Reporting Form can be found at

Next Scene

https://disirf.ihs.gov

Next Scene

Stay aware, and speak up when you see potential trouble. For help with reporting incidents contact your local IT staff.

-  Security contacts and other resources can be found at: http://security.ihs.gov

Click the Continue button below