iim

Integrated Incident Management

INTRODUCTION

The Director of Information Management (DOIM) of your organization is responsible for Information Security (INFOSEC) as it applies to mission and mission support information technology (IT) systems. Increased focus is being placed on Internet-related security as the level and sophistication of malicious attacks grows. As a consequence, the DOIM is developing policies, systems, and staff to respond to this threat. Augmentation of its internal staff is necessary to accomplish these goals. As a result, the DOIM requires expert security consulting services and has selected the Advanced Research Corporation (ARC). ARC is providing similar support to the large enterprise-level organizations, such as XX, YY, ZZ, and AA. The sections below delineate the task requirements for the contractor support as well as an estimated level of resources.

TASK STATEMENT

This Statement of Work (SOW) is divided into the following tasks.

Task 1: Integrated Incident Management

Integrated Incident Management (I²M) is a method for providing detection, reaction, prevention, and training concerning network-oriented security incidents. I²M will be implemented by the DOIM as funding permits. The following subtasks will be conducted in support of the I²M initiative.

Subtask 1: Incident Detection: Your organization intercepts many intrusions from many sources every day. Advanced Research will perform the following work elements (WEs) for this subtask:

WE-1: Incident Characterization and Validation: Advanced Research will work with DOIM staff to develop intrusion operating procedures that will identify, characterize, and assess intrusions to prioritize significance and response needs. Contractor will review current intrusion detection programs and recommend improvements where appropriate.

WE-2: Outgoing Intrusion Detection: Advanced Research will review DOIM’s current outgoing intrusion (e.g., Marker and Melissa attacks) detection systems and recommend improvements where appropriate. Strategies for rapid response will be developed.

WE-3: Integration with other Enterprise Efforts: Enterprise-wide intrusion detection is managed by the DOIM's security staff. Coordination and collaboration with this activity will be required to quickly resolve and respond to incidents. Advanced Research will provide technical support to the DOIM to achieve this integration

Subtask 2: Incident Response: Advanced Research will support the DOIM’s requirement to implement an Incident Response Team (IRT) to support the enterprise-wide Computer Emergency Response Team (CERT) activities. Advanced Research will perform the following work elements under this subtask.

WE-1: IRT Operational Concept: Advanced Research will support the DOIM staff in developing a concept of operations (CONOPS) for the IRT. The CONOPS will define the requirements, interfaces, and duties of the IRT.

WE-2: IRT Plan: Advanced Research will support the DOIM staff in developing the IRT plan which delineate the policies and procedures that will direct the IRT.

WE-3: IRT Checklist: Advanced Research will support the DOIM staff in developing a detailed IRT checklist that will be used to address security incidents. Tools that will be used in the IRT process will be identified under this work element.

Subtask 3: Incident Prevention: The DOIM supports the enterprise in evaluating and hardening computer security. Advanced Research will perform the following work elements under this subtask.

WE-1: Security Audits: Advanced Research will support the DOIM staff in performing network and system level security audits using automated tools such as Internet Security Scanner (ISS), Security Auditor’s Research Assistant (SARA), System Scanner, and TIGER Analytical Research Assistant (TARA).

WE-2: System Review: Advanced Research will support the hands-on review of UNIX and WINTEL systems to assess and correct security weaknesses. This element may be performed in conjunction with on-going Y2K audits.

WE-3: Risk Assessment and Security Planning: Advanced Research will support the development of system security risk assessments and security plans in accordance with organizational guidance.

Subtask 4: Incident Education: The DOIM is tasked to increase the security awareness of the technical management and administrators responsible for critical IT components at the enterprise. Advanced Research will support the DOIM in developing training courses and briefings directed to technical management and UNIX/WINTEL administrators. Where appropriate, computer based training (CBT) will be explored.

Task 2: Security Engineering

Advanced Research will support other initiatives within the DOIM’s INFOSEC responsibilities. The following subtasks will be tasked on an "as-required" basis.

Subtask 1: Security Architecture Support: Advanced Research will review the enterprise's current INFOSEC environment, track planned enhancements, and recommend remedial or augmenting services.

Subtask 2: Product Review and Prototyping: Advanced Research will be tasked to review specific security related products in terms of (1) satisfying mission needs, (2) ease of integration, and (3) cost/benefit.

Subtask 3: Ad Hoc Support: Advanced Research will be required to provide senior security IT engineers to support the DOIM’s initiatives in INFOSEC as needed.

RESOURCE ESTIMATE

Advanced Research will provide quotes through Bob Todd.