Home

Mastering the CSA Incident Response Plan

Martin - May 13, 2021

A key exam for the Cyber Security Analyst course involves an Incident Response Plan (IRP), simple.

Or is it? (Hint - it is!)

You have put in the hours, done the work, and I'm here to guide you through the steps you need to take to complete the CSA IRP! So follow on with me as I give a walkthrough of what you need to reach the finish line.

What is the purpose of the IRP?

Creation and completion of the IRP shows an understanding of the fundamentals of cyber security defense processes. In the exercise you define a threat you believe is relevant and show your understanding of its malice toward computer networks by providing the solution to stop it, beat it and recover your network. In the real world, you will form part of a team and your awareness of threat indicators will assist in protecting the health of your company's cyber security.

One of the best ways to show understanding of any concept is to educate others, your IRP should be aimed at showing your knowledge by:

  • Identifying the threat,
  • Providing methods of containment to prevent the spread,
  • Provide solutions to recover the network, and
  • Suggest network solutions to prevent reoccurrence.

What threat should I choose?

Here the world is your oyster, you get to choose your own adventure.

Pick something you are interested in, something your passionate about, or even something that you want to develop more knowledge on. Current events can be a great source of inspiration.

You could check out the following podcasts for ideas:

The Marking Criteria

Here is the key point, how to get full marks. Gather in peeps, the secret is..... Follow the marking guide! Believe it or not, we too follow the marking guide, so if you follow the guide and aim for completing the items on the right hand side in full, you are writing your own pass mark.

Below is the marking guide provided to you in the IRP lesson content, & you can see the amount of points awarded for the completion of each criteria. Completion of everything in column 3 in full would award a pass mark of 80%, but with a little extra effort a 100% is achievable.

The Layout

The presentation for your IRP should look neat and professional, and to assist with this we provide you the template you are required to use. By using the template provided, you provide us, the markers with a familiar and easy to read format for us to grade. If we are able to pick out the criteria we require, you will be on your way to a pass mark and that bit closer to the sweet finish line.

The template flowchart bubbles and lines can be "copy pasted" into new locations and moved with either the mouse or arrow keys on your keyboard to line up. Be sure to remember that yellow highlighting can be removed by the Word text formatting.

The Fastest Way To Failing

The topic we knew we would get to, which I will reiterate from the lesson. To ensure you do not get an email from one of the graders asking for a resubmission, keep the following in mind as they can result in automatic failure of that submission.

  • Failure to use the IRP template provided.
    • We ask you to use the IRP template so that all students start off on the same playing field, and it is easy for us to mark.
  • The IRP must have your name on the title page.
    • We are yet to meet a student called FIRSTNAME LASTNAME, so if that is not the case enter your name so that we can assign your marks to your good work.
  • The IRP may must have its own title – not that of the template.
    • A SIEM will have many playbooks, in this scenario this is one of many and must be easily identifiable on the title page.
  • Save the file using the convention of Firstname_Lastname_IRP-Title
    • This assists us in our filing as we have hundreds of students
  • Remove all yellow highlights.
    • This is probably one of the last formatting errors you can have, the highlighting is there as a guide when using the template and not submission.
  • Do not miss or fail to complete the IRP stages or the flowchart.
    • This is a key point as the follow on steps may fork and the assessor (or threat respondent to the event) needs to know in a logical way what to do.
  • Include sources.
    • These will be checked by the grader. To get full marks give a brief description of each source.
  • Do not plagiarise
    • This one should not need to be explained as we want to see your work, not someone else.

Second Chances

We here at WYWM want you to confidently pass, but in the event that you are unable to continue, it is not the end. The instructors will allow resubmission after you are debriefed on your previous attempt. Simply rectify those outstanding requirements and resubmit when you are ready.

The biggest takeaway from this article, are two things:

  • Follow the marking guide, and
  • Understand automatic failure criteria.

- - - Good luck and have fun! - - -

Join our community

We have a Discord server where you’ll be able to chat with your instructors and cohort. Stay active in your learning!
Join discord