Unit 3: Incident Response
|UNIT TITLE||Lead cyber security incident response|
This unit develops the skills and knowledge required to lead a team in the response to a cyber security incident and take responsibility for planning, detecting and investigating security incidents and managing response.
It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They have responsibility for directly supervising others.
No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.
|Elements describe the essential outcomes of the unit||Performance criteria describe the performance needed to demonstrate achievement of the element.|
|1. Plan for security incident||
1.1 Establish, define and maintain an organisational definition of information security incidents to allow accurate identification of and response to incidents
1.2 Establish incident detection and response objectives and requirements with senior management or client
1.3 Establish human, technological and equipment resource requirements to detect and respond to security incidents
1.4 Develop incident response policies, procedures, manuals and supporting documents
1.5 Define roles and responsibilities of team members and external providers
1.6 Identify and prioritise critical infrastructure and data assets
1.7 Determine and document incident thresholds
1.8 Obtain required resources to prepare for an incident
|2. Detect and investigate security incidents||
2.1 Build, deploy and test security detection tools to alert team members of critical security events
2.2 Triage security events to identify potential incidents
2.3 Conduct computer forensic investigation to confirm the extent of security incidents
2.4 Review investigation findings and propose potential consequences of security incidents
2.5 Document methods of compromise employed by the attacker
2.6 Lead team and monitor completion of allocated tasks and adherence to procedures
|3. Plan response to incidents||
3.1 Prepare a report detailing incidents and recommended solutions
3.2 Conduct an impact assessment against the report findings, analyse the assessment results and make adjustments to minimise risks
3.3 Consult senior management or client and obtain approval to implement preferred solutions
3.4 Develop an action plan to execute agreed solutions and seek approval for implementation
|4. Respond to a computer intrusion||
4.1 Communicate roles and responsibilities with team members
4.2 Isolate or monitor intrusion points, as documented in the action plan to prevent future attacks
4.3 Recover systems, data and connectivity to resume business operations
4.4 Oversee implementation of action plan and achievement of tasks within defined timeframes
4.5 Monitor effectiveness of action plan and adjust to ensure achievement of planed objectives
4.6 Review effectiveness of actions implemented and document findings, detailing recommendations to reduce likelihood of future incidents
Foundation skills essential to performance are explicit in the performance criteria of this unit of competency
|UNIT MAPPING INFORMATION||No equivalent Unit|
|TITLE||Assessment Requirements for CYBLCS003 Lead cyber security incident response|
Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:
The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role.
This includes knowledge of:
Assessment may be in the form of:
Both practical skills and knowledge must be assessed.
No specialist vocational competency requirements for Assessors apply to this unit.