Level Distinction
UNIT 12 ASSIGNMENT 3
I have been working for a PC repair company as an IT Technician. My manager is branching out in to the
IT support and management market, providing outsourced IT support to local businesses. I have been
asked to put together a support plan for a one of the businesses that have signed up for outsourced
support. The business that I will need to put together a support plan for is a start-up company that runs
an on-line business, the online elements are managed by an ISP who are offsite and have demonstrated
adequate preparation. The company itself are planning to have between 25 and 30 employees who will
all have desktop PCs and the senior staff will also have tablet computers connected by Wi-Fi to the
company LAN which will allow users to share data and have access to the Internet. There will need to be
3 monochrome and two colour printers, all of which are shared. The system internal database is vital to
the company’s operations and must be available 24hr a day and 356 days a year.
To start a potential incidents response plan, IT support must first understand how to determine what
incidents are and how they differ from disasters which will require extra intervention. Incidents are
unscheduled events that occur. Those events can be both technical, as well as physical failures. The
main qualities that help to determine if an issue is an incident is the fact, the issue should cause an
inconvenience to use the systems but under no circumstances it should stop the services from working,
because otherwise it would be considered a disaster.
Way to identify whether the event is an incident or a disaster via a diagram.
EVENT HAS OCCURED
WAS THE SYSTEM
Yes INTERRUPTED? No
Disaster Incident
PLACE A
Trigger Disaster
TICKET
Recovery
Procedure
WAIT FOR
THE
PROBLEM TO
BE
RESOLVED
Review Two: Shyam Patel
Improvements Made: After a conversation with Shyam, he has made me aware that my plan is good,
however it will require a few examples to show the CIRT how to act, because despite the fact that the six
steps I have created are a good way to deal with incidents, it seems pretty complicated in order to get
the application of it correct and it will require a lot of time as well as practice. In addition, all the
, Level Distinction
incidents are different, meaning that this guideline has to be shown and implemented via company’s
policies and procedures in order to be as effective as I intend it to be.
Incident Response
In order to initialize an incident response, plan it is preferable that the business has their own Computer
Incident Response Team (CIRT) that understand IT and can act accordingly to the incident, while being
inline with the IRP (Incident Response Plan) as below. This is because, the incidents and the solutions
that I will provide will be basic, as there is no possible way that I can predict all the possible incidents
that may occur within the company environment, as the options are endless. Therefore, I will provide a
guideline how to deal with incidents and few examples that will ease the application of the plan into a
workplace environment and on that basis the CIRT Team should respond to any incident accordingly
with acceptable efficiency.
A successful IRP Plan contains information that allows a company to decrease possible damage of an
incident & as well as providing instructions on how to deal with a specific incident. Within a business this
sort of plan will benefit all the stakeholders, as it will let them know early how intrusive the incident is
and how it should be dealt with.
1. Preparation – The first stage within an IRP is preparation. This stage is not just about preparing
the IT staff on how to act if an incident occurs, however this stage also includes training the
users how to detect an incident and take appropriate actions in reporting it. In addition, this
stage can be also used as a counter measure to ensure that an incident is less likely to occur.
2. Identification – Identification stage is about identifying the incident and establishing whether it
is serious enough to report to the CIRT Team as well as the possible ways of resolving it
3. Containment – Containment Stage is about stopping the threat from spreading, dependant on
whether the containment is long term or a short-term, appropriate steps must be undertaken to
prevent it from causing any further damage. A short-term containment would be including
immediate response such as turning the systems off, whereas a long-term containment would
include the business operating meanwhile limiting backdoors, that would enable intrusion into
the systems from the outside of the network.
4. Eradication – Eradication Stage is about recovering the systems to the stage that they were at
before the incident has occurred and removing any signs of the incident, this can be performed
via a back-up. In addition, this stage also includes ensuring that the system is immune to this
sort of incident to prevent it from occurring again.
5. Recovery – The recovery stage is about ensuring that the systems are incident free and are safe
enough to be brought back into operation.
6. Lessons learned – This stage is post incident, where every step is reviewed all the
documentation is filled out, the cause of the incident is established. The incident is noted down
in detail, and the IR Plan is updated to ensure that that if this incident was to occur again, the
company would be more experienced at dealing with it.
