SANS Institute 2003, All Rights Reserved.

Transcription

1 INCIDENT FORM CHECKLIST Form Completed Date Completed Initials 1. Incident Contact List YES NO -Intellectual Property Owner Contacts YES NO -Intellectual Property Owner Local Contacts YES NO -Suspect Local Contacts YES NO -Suspect Contacts YES NO 2. Incident Identification YES NO -General Information YES NO -Intellectual Property Profile Summary YES NO -Detected Items Log YES NO 3. Incident Containment YES NO 4. Incident Eradication YES NO 5. Incident Communication Log YES NO SANS Institute 2003,.

2 INCIDENT CONTACT LIST Intellectual Property (IP) Owner Contacts Corporate Security Officer: Corporate Incident Handling, CIRT, or FIRST Team: Corporate DMCA Agent: CIO or Information Systems Security Manager: Corporate Public Affairs Officer: Corporate Legal Affairs Officer SANS Institute 2003,.

3 INCIDENT CONTACT LIST IP Owner Local Contacts Internet Service Provider Technical Contact: Local FBI or Equivalent Agency: Local Law Enforcement Computer Crime: Local CIRT or FIRST Team: SANS Institute 2003,.

4 INCIDENT CONTACT LIST Suspect s Local Contacts Suspect s Internet Service Provider (ISP) Technical Contact: Suspect s ISP DMCA Agent: Suspect s Local FBI or Equivalent Agency: Suspect s Local Law Enforcement Computer Crime: Suspect s Local CIRT or FIRST Team: SANS Institute 2003,.

5 INCIDENT CONTACT LIST Suspect s Local Contacts Suspect s Web Hosting Technical Contact: Suspect s Web Hosting DMCA Agent: Phone: Alt. Phone: Phone: Alt. Phone: Mobile: Pager: Mobile: Pager: Address: Address: SANS Institute 2003,.

6 INCIDENT CONTACT LIST Suspect Contacts Suspect Individual: Suspect Organization: Suspect Technical Contact: Suspect DMCA Agent: Suspect Legal Contact: SANS Institute 2003,.

7 INCIDENT CONTACT LIST Other Contacts Key Fax: fingerprint = AF19 Alt. Fax: FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SANS Institute 2003,.

8 INCIDENT IDENTIFICATION Incident Detector s Information: General Information Detector s Signature: Date and Time Detected: Location Incident Detected From: Additional Information: Date Signed: Intellectual Property Profile Summary Type of Intellectual Property (IP) Detected: Total Number of IP Items Detected: Document(s) Audio Application(s) Image(s) Video Additional Information: Other: Root Location of IP Items (URL, etc) on Detected System: How was the Intellectual Property Detected: SANS Institute 2003,.

9 INCIDENT IDENTIFICATION Intellectual Property Profile Detail Detected Items Log IP Item Number: Filename: File Type: Size: Time Stamp: Version: Detected File Location (URL, etc.): Original File Location (URL, etc.): Title: Copyright: Author: Author Publisher: Publish Date: Company: Company Company Address: Company Phone: Fax: Additional Information: IP Item Number: File Type: Size: Filename: Time Stamp: Version: Detected File Location (URL, etc.): Original File Location (URL, etc.): Title: Copyright: Author: Author Publisher: Publish Date: SANS Institute 2003,. Company: Company Company Address: Company Phone: Fax: Additional Information:

10 INCIDENT CONTAINMENT How were the intellectual property items compromised: Are the original files accessible from company resources? YES NO If YES, properly document location(s) on the Incident Identification form. Are the original files secured? YES NO If YES, how and where are these files secured: Have the company systems been reviewed for possible authorized or unauthorized access? YES NO If YES, where is the location of the report or incident handling forms documenting this access: If NO, what was the reason: Have trusted partner systems been reviewed for possible authorized or unauthorized access? YES NO If YES, where is the location of the report or incident handling forms documenting this access: If NO, what was the reason: Are the trusted partner system files secured? YES NO If YES, how and where are these files secured: If NO, what was the reason: List other known authorized and unauthorized mechanisms of file distribution and possible usage or exploitation: SANS Institute 2003,.

11 INCIDENT ERADICATION Names and Contact information of all people performing forensic and investigational duties: Was the vulnerability identified? YES NO If YES, describe: Was the vulnerability eradicated? YES NO If YES, describe: What were the validation procedures used to ensure the problem was eradicated: SANS Institute 2003,.

12 INCIDENT COMMUNICATION LOG Date: Time: am pm Initiator Name: Method (mail, phone, , etc.): Receiver Name: Initiator Title: Initiator Organization: Initiator Contact Info: Receiver Title: Receiver Organization: Receiver Contact Info: Details: Date: Time: am pm Initiator Name: Initiator Title: Method (mail, phone, , etc.): Receiver Name: Receiver Title: Initiator Organization: Receiver Organization: Initiator Contact Info: Receiver Contact Info: Details: Date: Time: am pm Initiator Name: Initiator Title: Initiator Organization: Initiator Contact Info: Method (mail, phone, , etc.): Receiver Name: Receiver Title: Receiver Organization: Receiver Contact Info: SANS Institute 2003,. Details: