Cyber Security Policy Manual

h. Collect forensics evidence including logs, screenshots and images of systems if needed. Ensure that chain of custody is maintained in the event that evidence need to be presented in a court of law i. Formulate an action plan to mitigate the incident j. Communicate the incident and mitigation plan to management team

3) Contain, Eradicate and Recover Incident type

Actions

Malware infection, Ransomware, brute force or denial of service attack

- Block the attacker IP address or ports being used - Shutdown the system or disconnect from the network - Disable certain system functions - Block websites that may be used to deliver malware - Apply security patches - Replace infected files or restore system from backup - Rebuild system if infection cannot be removed - Apply rules to the firewall - Monitor network traffic - Block the phishing email from being received by more users - Block access to the website/IP address - Remotely remove the phishing email from users mailboxes - Notify users through email/IM

Phishing Attack

Social Engineering Attack Theft or loss of laptop and mobile devices

Notify users through email/IM Remotely wipe the device

- - -

Change user’s password

- Notify appropriate government agencies to assist with the investigation if needed –

Communications Management team is responsible for engaging appropriate government agencies

Theft or disclosure of confidential information

- Notify the City Manage r’s Office (CMO) - Notify appropriate government agencies to assist with the investigation –

Cyber Security Policy Manual

38