IT Management

(#1) In 1987, Denning wrote that the development of a real-time intrusion-detection system is motivated by four factors: 1) most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons; 2) existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more- secure systems, or else they cannot be replaced for economic reasons; 3) developing systems that are absolutely secure is extremely difficult, if not generally impossible; and 4) even the most secure systems are vulnerable to abuses by insiders who misuse their privileges. ****** Are these factors still relevant today? Are there any new factors that motivate the development of real-time intrusion-detection systems. Justify your answer. [50 pts] – Article is included as a .PDF for reference and use.******* (#2) ******* In your own words explain the concept of Network Security Monitoring (NSM). Provide five (5) recommendations made in the text for proper management of NSM devices (servers and sensors), to keep the NSM data secure and protect those systems from attacks. [50 pts] *********** Short quotes can be used as needed. Cite any references used, in APA format. Both essay answers must be included in a single document. Clearly identify each question, and start question #2 at the top of a new page (not immediately following question #1).

Assignment 1: Continuity Planning Overview Due Week 2 and worth 75 points Suppose you were recently hired for a new initiative as a business continuity lead / manager at a medium-sized healthcare company. You have been asked to prepare a presentation to the Board of Directors on your main duties for the company and how your position could help protect the business in case of a large-scale incident or disaster. You have been alerted that since this is a new initiative and could come with a potentially large price tag, there is skepticism from some of the Board members. Write a three to four (3-4) page paper in which you: 1. Explain the basic primary tasks, ongoing evaluations, and major policy and procedural changes that would be needed to perform as the BC lead / manager. 2. Provide insight on how to plan the presentation to garner management and Board buy-in for those who are skeptical. 3. Discuss the first four (4) high-level activities that would be necessary in starting this initiative in the right direction and describe the potential pitfalls of each. 4. Speculate on the most comprehensive and / or critical challenge(s) in the infancy of this initiative and explain how to overcome that challenge(s). 5. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Be sure to (1) address at least one hypothetical goal, measure and target for each of the four perspectives (financial, customers, etc.) in tabular format and (2) draw or sketch out a dashboard for your scorecard. Include a brief narrative (at least two sentences) explaining your specific scorecard as it relates to the organization. You might want to review the below video first.

Please read, consider, and answer the following questions: Chapter 7: 3 – Identify and briefly discuss five advantages of electronic and mobile commerce. Chapter 7: 5 – Identify and briefly discuss three key challenges that an organization faces in creating a successful e-commerce operation. What steps can an organization take to overcome these barriers? Chapter 8: 3 – Assume that you are the owner of a small bicycle sales and repair shop serving hundreds of customers in your area. Identify the kinds of customer information you would like your firm’s CRM system to capture. How might this information be used to provide better service or increase revenue? Identify where or how you might capture this data. Chapter 8: 9 – What benefits should the suppliers and customers of a firm that has successfully implemented an ERP system expect to see? How might an ERP implementation affect an organization’s suppliers? ***Please add questions in***

Discussion Question: At a pharmaceutical firm, researchers are assigned to clusters of diseases (mental health conditions, autoimmune diseases, neurological diseases) rather than to a specific drug research project. What might be some of the benefits of organizing the firm’s research efforts in this manner? (consult p. 54–55 of Project Management Textbook) Response parameters: Initial posts should be 200 words minimum Initial posts should include at least two peer-reviewed article/journal/book as a citation (not including the course textbook) Use APA formatting to cite all of your sources: https://owl.purdue.edu/owl/research_and_citation/apa_style/apa_formatting_and_style_guide/general_format.html (Links to an external site.) You can access the databases of peer-reviewed journals here: https://libguides.lib.fit.edu/business (Links to an external site.) https://libguides.lib.fit.edu/InformationTechnology

You are required to : a) Write a SAS program to input the supplied spreadsheet data containing student attendance and module marks. Copies of the spreadsheets can be found in blackboard in the Coursework folder of Teaching Material. You will find there is a spreadsheet listing student details and for each of 4 modules, there are several spreadsheets containing attendance data and one spreadsheet (total 4) containing student marks. Create one SAS data set for all the attendance data and one SAS data set for all the student marks. Refer to task 2 to see what data is required. b) The data are required by different people within the organisation. Create SAS output (i.e. reports) for each of the following individuals. You will need to decide on the information to be included in the report(s) to meet the needs of each type of user. a. The Year manager. The year manager has responsibility for individual student welfare and progression. The year tutor needs to be aware of students who are missing classes. This could be consistently missing the same class and/or students missing for more than one week from all classes. Attendance below 70% on a module is considered problematic. The year tutor requires a list of students who are missing classes each week as the registers are created. b. The course leader. The course leader has overall responsibility for a course and its delivery and will require summary statistics on individual modules (attendance and student marks), individual students (attendance and marks) as well as being responsible for calculating the overall mark for each student’s average mark. c. The Department head. The department head has responsibility for monitoring the student experience and the courses offered. This individual will need to carry out more specific analysis. For example: a) To identify modules and students which have above and below average attendance/results. b) To identify associations between achievement and attendance, c) To identify associations between results and student demographics, d) To identify associations between attendance and student demographics. They will also be responsible for setting the policies used by the department, for example: a) in setting an attendance level below which some type of action is required by the year manager (currently 70%). Would a different attendance level help meet the university objective of 50% of students achieving an overall average of 60% over their module marks. b) Identifying when modules are too easy or too hard, c) Identifying when a module has poor attendance. They will also be involved in making strategic decisions such as: a) Is attendance monitoring worthwhile? b) Should students who achieve 39 % in a module be automatically be rounded up to 40%? c) Should an overall attendance level be set? Failure to achieve the level of attendance will result in failing a course overall. Example rules could be: • if students attend below 70% in each module, they fail the attendance requirement • if students have an average attendance for all modules below 70%, they fail the attendance requirement. How many students would be removed from the course with each of these policies? Present your findings in a report, which should state how your SAS reports meet the needs of the specific user types and should include the SAS reports to prove your case. You should also place all your SAS programs in the appendix.

Write a three-section paper, plus an introduction, conclusion, and reference section, on using various frameworks for managing data analytic projects given a particular point of view. Each section will address the needs and recommendations for a particular viewpoint. The points of view are from that of 1) data analytics professionals (i.e. those doing the work), 2) business managers (who may be ignorant of how to do data analytics), and 3) customers (whose needs can be unique). Express the business and project needs of each and how different data analytic project frameworks and/or processes work to fulfill each need. In particular, address the following, The project and business needs of each viewpoint (up to 5 for each) The pros and cons of different frameworks and/or processes for each need The trade-offs between the different recommendations made Variations in recommendations based on project characteristics (i.e. consider how different project characteristics (goals, size, etc.) affect recommendations). The Conclusion section should summarize, as well as compare and contrast the recommendations. Examples of business and project needs (no particular order or grouping) are: user invonlvement, transparency, aspects of communication, data security, data privacy, work accommodations, participation facilitatio, dispersed workgroups, cultural differences, regulations, competition, budgetary constraints, and operational issues. This list is not definitive nor exhaustive. The needs you present may or may not include any of these. These are given in support of your consideration. The business and project needs you define for each viewpoint (up to 5 for each) should be well articulated and possibly defined. Quality is of paramount importance for this final paper. Graduate level grammar is expected. Use a 12 Times New Roman; spacing should be 1.5; default, normal margins. Grading: 100 points total. Grammar: 10%. Organization and format: 15%. Articulation and definition of project and business needs: 25%. Recommendation justifications and arguments: 50%. SafeAssign will be used to check for plagiarism. Deductions will be made for plagiarism up to the full grade of the paper. Resources: Please incorporate only resources that pertain to the data analytics and the topic of the paper.

Answer each of the questions with a paragraph or more. Sources not required for each question but a total of four required. 1. List at least five security threats specific to VoIP. Give a brief description and possible scenario. 2. List at least 10 Vulnerabilities in VoIP. Briefly describe each of the listed vulnerability, along with a possible recommendation for a countermeasure. 3. Explain the end-to-end process of how VoIP works. 4. Go back to problem 3 and list possible vulnerabilities in each step of the process. 5. In problem 4 list what would be most risky vulnerability, with the most possible damage 6. In problem 5 – list how you would create a plan to mitigate possible damages and have services running smoothly and securely.

Note: Treasure Star Group (TS Group) case study will be a consistent reference throughout this course. The Treasure Star Group, or TS Group, manufactures and distributes food and household products. From its Hong Kong headquarters, the TS Group markets many popular brands of edible oil and home cleaning products. The TS Group has several subsidiary manufacturing and sales operations in China, where it has the largest foreign-owned flour processing business in the country. When you read the case study, note how the TS Group implemented an Enterprise Resource Planning (ERP) system. Although the TS Group performed many of the strategy phase activities, they did not study the impact of the ERP system on their processes, nor did they identify all of the stakeholders. Your discussion this week will focus on these omissions. To prepare, read the entire TS Group case study, found in the Lee & Lau article in this week’s Learning Resources. Post by Day 3 an analysis of how one of the omissions helped lead to some part of the project’s outcome. Respond by Day 7 to two or more of your colleagues’ postings in one or more of the following ways: Ask a probing question. Share an insight from having read your colleague’s posting. Offer and support an opinion. Validate an idea with your own experience. Make a suggestion. Expand on your colleague’s posting. Return to this Discussion in a few days to read the responses to your initial posting. Note what you have learned and/or any insights you have gained as a result of the comments your colleagues made. see below. Reading Resource . Jeston, J. (2018). Business process management: Practical guidelines to successful implementations (4th ed.). New York, NY: Routledge. Chapter 11, “7FE Framework Overview” (pp. 100–119) Chapter 12, “Guidelines on How to Use the 7FE Framework” (pp. 122–134) Chapter 13, “Foundations Phase” (pp. 136–190) Lee, J. C. Y., & Lau, R. S. M. (2005). ERP implementation project at TS Group. Asian Case Research Journal, 9(2), 263–282. Retrieved from the Walden Library database. Sethuraman, K., & Tirupati, D. (2004). Diecraft Australia. Asian Case Research Journal, 8(2), 187–213. Retrieved from the Walden Library database.

Project #1: Incident Response Report
Your Task
You have been assigned to assist with After Action Reporting in support of the Sifers-Grayson Blue Team. Your immediate task is to assist in analyzing and reporting on a Red Team penetration test described later in this document. As part of that report, you will identify weaknesses and vulnerabilities exploited by the attackers (the Red Team), compile a set of lessons learned, and then make recommendations for actions the company should take to close the gaps in their cybersecurity posture (at a minimum, you must address the identified vulnerabilities and weaknesses that were exploited by the Red Team). The Blue Team has provided you with a set of enterprise architecture diagrams (see figures 1-4 in this file) to help with your analysis of the incident and preparation of the summary report. You should also use the readings from Weeks 1-4 to help you identify security gaps and incident response capabilities which the company needs to implement.
Background
Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great-grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company.

Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.
The company has agreed to allow an external Red Team to conduct penetration testing of its operations to help ensure that it is able to meet the government’s requirements for cybersecurity and the protection of government owned sensitive but unclassified information. The company has also assigned personnel to conduct After Action Reviews of the penetration testing. You
Company Operations
Engineering Department
The Engineering Department is housed in the company’s R&D center with a satellite facility at the test range. The desktop and laptop computers are a mixed bag of hardware (multiple manufacturers) running Windows 8.1, Windows 10, and variants of Apple’s OSX and iOS. The support for these computers and the internal networks is provided by the junior engineers assigned to one or more of the department’s development teams. The Engineering Department’s philosophy is that all of the company’s engineers should be trained and capable of providing support for any and all hardware, software, and networks used by the department. This training is provided through on-the-job experiences and mentoring by more senior engineers. When a problem arises, the department head or one of the lab supervisors assigns an engineer to find and fix the problem.
Engineering Department: SCADA Lab
The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did not have system backups that it could use to rebuild the system hard drives (in the second case).
The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.
Engineering Department: R&D DevOps Lab
The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule.

Data Center & Enterprise IT Operations
The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012. A firewall was installed to protect the Data Center from network attacks but, as you can see in Figure 2, the placement of the firewall on the corporate network provides no protection for the Data Center. An external attacker could use the network path through the R&D center’s networks to reach the Data Center.
Contractual & Regulatory Requirements
• Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012
• Derivative requirements include:
• Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
• Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see 
• Additional Contractual Requirements for Lab Operations include:
• Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide)
• SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security)
• Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle)
• Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems)
Red Team Penetration Testing
Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers).
The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters.
The Red Team used three stolen logins to send Phishing Emails to employees. These phishing emails appeared to come from coworkers (employees of the company) and contained a link to one of three videos. Each video was linked to a server that tracked the email address and IP address of the computer used to access the video. The Red Team reported that over 80% of the recipients clicked on the video link for cute kittens or cute cats. Twenty percent (20%) of the recipients clicked on the video link for a business news story. A video link to a sports event wrap-up for the Kentucky Volunteers basketball team had over 95% click-through rate. All three videos displayed a “Page Not Found (404 Error)” message from the target server. The Red Team did not put a tracking beacon in the emails to track forwarding of the phishing emails. But, the team reported that the target server collected email addresses and IP addresses for over 1500 external recipients within 24 hours of the original mailing; at that point, the target server was shutdown.
After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5).

Incident Response During the Penetration Test
Sifers-Grayson has limited Incident Handling and Response capabilities in place. The company’s Chief Operating Officer has a small IT team (team lead and two support specialists) that focuses primarily on the IT needs of headquarters personnel. Their duties include staffing the help desk phone line and handling any incidents that affect availability of company owned IT equipment and networks. The single firewall for the company falls under this team’s management and control. It was not capable of detecting the Red Team’s intrusions and was not configured to provide alerts for any failures or faults.
Computer and network operations for the SCADA Lab and R&D DevOps Labs have traditionally been the responsibility of the Engineering department. Engineering sees itself as separate from the rest of the company and takes care of its own IT needs. There is no formal incident response capability. Instead, the lab manager for each lab tasks engineering staff to manage the workstations. If network maintenance or upgrades are required, the Engineering Department hires contractors to perform the work. Responsibility for providing oversight for these contractors is rotated between the junior engineers.
The Data Center manager has a staff of two systems administrators who are also responsible for identifying and responding to incidents which impact server availability. The Data Center does not have any automated detection systems in place to provide alerts for intrusions. It does, however, have heat alarms, smoke detectors, and water detectors which sound audible alerts through klaxon horns. Neither of the system administrators detected any anomalies in server or local area network operations during the penetration test.
There was no effective incident response during the penetration test. In large part, this was due to the lack of a centralized team with responsibility for enterprise monitoring and response for network incidents and computer security incidents. Incident response also fell short because there were no automated detection capabilities. Finally, the company’s ability to perform forensics investigations after the penetration testing was limited due to a lack of knowledge (no trained personnel), lack of forensic analysis tools, and a limited number of log files on the servers and firewall.

Your Deliverables

Your deliverables for this assignment are:
• Part A: Completed Incident Report Form
• Part B: Summary After Action Report in narrative format
First, you should complete the Sifers-Grayson Cybersecurity Incident Report Form (use the template found at the end of this file) using information provided in this assignment file. You should also consult the “Notes to Students” (below) for additional directions regarding completion of the form.
Next, perform a more thorough analysis of the information provided about the Red Team’s penetration testing and the vulnerabilities / security gaps which were uncovered. You should pay attention to areas where the incident response capability needs to be improved (people, processes, policies and technologies). Prepare a Summary Report of your findings and recommendations in narrative format. Your Summary Report should have four major sections. The required sections are:
• Introduction (provide an overview of the purpose and contents of the report)
• Analysis of the Incident (summarize what you know about the red team’s activities / the resulting security incidents using the information provided in the classroom and in this file). Your incident analysis should address: people, processes, policies, and technologies.
• Lessons Learned (what went wrong in the incident response process, what did not happen that should have happened). Your lessons learned analysis should address: people, processes, policies, and technologies.
• Recommendations for Improvements to Incident Response Capability (what needs to change, who should take actions, what actions must be taken to improve the incident response capability).

After you have completed the Incident Report Form and the narrative Summary Report, attach both files (.docx or .doc format) to your assignment folder entry and submit them for grading. You must also submit your narrative report to Turn It In for originality scanning. (The report form does not need to be scanned since it contains a large amount of fixed content.)
Notes to Students:
• Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at the beginning of your file and include the title of the report, your name, and the due date. Attach the file containing this form as a separate file when you submit your assignment for grading.
• Your Summary Report deliverable should be professionally formatted and should not exceed 10 pages for the report and 3 pages for the Incident Response Form. The goal is to be clear and concise in your reporting of your analysis of this incident and your recommendations for improvements. Your file containing the report must include a title page at the beginning of your file that includes the title of the report, your name, and the due date.

• Your work for this project should reflect your learning and analysis. For that reason, the citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate and consistent citation style (e.g. footnotes, end notes, in-text citations).
• You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required).
• Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. (You may also use information from the Certified Incident Handler textbook.)
• DOCUMENT YOUR ASSUMPTIONS about people, policies, processes, and technologies.
• Do not change any of the factual information provided in the classroom or this assignment file.
How to Complete the Incident Response Form
• For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields.
• For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss.
• R&D Center 10.10.135.0/24
• Test Range 10.10.145.0/24
• Corporate Headquarters 10.10.100.0/24
• For sections 2, 3, and 5, you should use and interpret information provided in this file and elsewhere in the classroom. You may use a judicious amount of creativity, if necessary, to fill in any missing information.
• For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate.
• Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.”
•

Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture

Figure 2. Combined Network and Systems Views:
Sifers-Grayson Headquarters, R&D Center, and Data Center

Figure 3. Combined Network and Systems View for Sifers-Grayson R&D DevOps Lab

Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range

Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab

NIST Incident Handling Checklist by Phase
Detection and Analysis
1.
Determine whether an incident has occurred
1.1
Analyze the precursors and indicators
1.2
Look for correlating information
1.3
Perform research (e.g., search engines, knowledge base)
1.4
As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence
2.
Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)
3.
Report the incident to the appropriate internal personnel and external organizations
Containment, Eradication, and Recovery
4.
Acquire, preserve, secure, and document evidence
5.
Contain the incident

6.
Eradicate the incident
6.1
Identify and mitigate all vulnerabilities that were exploited
6.2
Remove malware, inappropriate materials, and other components
6.3
If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them
7.
Recover from the incident
7.1
Return affected systems to an operationally ready state
7.2
Confirm that the affected systems are functioning normally
7.3
If necessary, implement additional monitoring to look for future related activity
Post-Incident Activity
8.
Create a follow-up report
9.
Hold a lessons learned meeting (mandatory for major incidents, optional otherwise)
Source: NIST SP 800-61r2
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2).

SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM
• Contact Information for the Incident Reporter and Handler
– Name
– Role
– Organizational unit (e.g., agency, department, division, team) and affiliation
– Email address
– Phone number
– Location (e.g., mailing address, office room number)
• Incident Details
– Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.
– Physical location of the incident (e.g., city, state)
– Current status of the incident (e.g., ongoing attack)
– Source/cause of the incident (if known), including hostnames and IP addresses
– Description of the incident (e.g., how it was detected, what occurred)
– Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function
– If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)
– Prioritization factors (functional impact, information impact, recoverability, etc.)
– Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)
– Response actions performed (e.g., shut off host, disconnected host from network)
– Other organizations contacted (e.g., software vendor)
• Cause of the Incident (e.g., misconfigured application, unpatched host)
• Cost of the Incident
• Business Impact of the Incident
• General Comments