Integrated Incident Management


The Director of Information Management (DOIM) of your organization is responsible for Information Security (INFOSEC) as it applies to mission and mission support information technology (IT) systems. Increased focus is being placed on Internet-related security as the level and sophistication of malicious attacks grows. As a consequence, the DOIM is developing policies, systems, and staff to respond to this threat. Augmentation of its internal staff is necessary to accomplish these goals. As a result, the DOIM requires expert security consulting services and has selected the Advanced Research Corporation (ARC). ARC is providing similar support to the large enterprise-level organizations, such as XX, YY, ZZ, and AA. The sections below delineate the task requirements for the contractor support as well as an estimated level of resources.


This Statement of Work (SOW) is divided into the following tasks.

Task 1: Integrated Incident Management

Integrated Incident Management (I2M) is a method for providing detection, reaction, prevention, and training concerning network-oriented security incidents. I2M will be implemented by the DOIM as funding permits. The following subtasks will be conducted in support of the I2M initiative.

WE-1: Incident Characterization and Validation: Advanced Research will work with DOIM staff to develop intrusion operating procedures that will identify, characterize, and assess intrusions to prioritize significance and response needs. Contractor will review current intrusion detection programs and recommend improvements where appropriate.

WE-2: Outgoing Intrusion Detection: Advanced Research will review DOIMís current outgoing intrusion (e.g., Marker and Melissa attacks) detection systems and recommend improvements where appropriate. Strategies for rapid response will be developed.

WE-3: Integration with other Enterprise Efforts: Enterprise-wide intrusion detection is managed by the DOIM's security staff. Coordination and collaboration with this activity will be required to quickly resolve and respond to incidents. Advanced Research will provide technical support to the DOIM to achieve this integration

WE-1: IRT Operational Concept: Advanced Research will support the DOIM staff in developing a concept of operations (CONOPS) for the IRT. The CONOPS will define the requirements, interfaces, and duties of the IRT.

WE-2: IRT Plan: Advanced Research will support the DOIM staff in developing the IRT plan which delineate the policies and procedures that will direct the IRT.

WE-3: IRT Checklist: Advanced Research will support the DOIM staff in developing a detailed IRT checklist that will be used to address security incidents. Tools that will be used in the IRT process will be identified under this work element.

WE-1: Security Audits: Advanced Research will support the DOIM staff in performing network and system level security audits using automated tools such as Internet Security Scanner (ISS), Security Auditorís Research Assistant (SARA), System Scanner, and TIGER Analytical Research Assistant (TARA).

WE-2: System Review: Advanced Research will support the hands-on review of UNIX and WINTEL systems to assess and correct security weaknesses. This element may be performed in conjunction with on-going Y2K audits.

WE-3: Risk Assessment and Security Planning: Advanced Research will support the development of system security risk assessments and security plans in accordance with organizational guidance.

Task 2: Security Engineering

Advanced Research will support other initiatives within the DOIMís INFOSEC responsibilities. The following subtasks will be tasked on an "as-required" basis.


Advanced Research will provide quotes through Bob Todd.