Course Title: Develop, implement and evaluate an incident response plan
Part B: Course Detail
Teaching Period: Term1 2024
Course Code: COSC7419C
Course Title: Develop, implement and evaluate an incident response plan
Important Information:
Please note that this course may have compulsory in-person attendance requirements for some teaching activities.
To participate in any RMIT course in-person activities or assessment, you will need to comply with RMIT vaccination requirements which are applicable during the duration of the course. This RMIT requirement includes being vaccinated against COVID-19 or holding a valid medical exemption.
Please read this RMIT Enrolment Procedure as it has important information regarding COVID vaccination and your study at RMIT: https://policies.rmit.edu.au/document/view.php?id=209.
Please read the Student website for additional requirements of in-person attendance: https://www.rmit.edu.au/covid/coming-to-campus
Please check your Canvas course shell closer to when the course starts to see if this course requires mandatory in-person attendance. The delivery method of the course might have to change quickly in response to changes in the local state/national directive regarding in-person course attendance.
School: 520T Future Technologies
Campus: City Campus
Program: C5402 - Diploma of Information Technology
Course Contact: Haroon Bhutta
Course Contact Phone: +61 3 9925 4448
Course Contact Email: haroon.bhutta@rmit.edu.au
Name and Contact Details of All Other Relevant Staff
Nominal Hours: 30
Regardless of the mode of delivery, represent a guide to the relative teaching time and student effort required to successfully achieve a particular competency/module. This may include not only scheduled classes or workplace visits but also the amount of effort required to undertake, evaluate and complete all assessment requirements, including any non-classroom activities.
Pre-requisites and Co-requisites
Nil
Course Description
In this course you will gain the skills and knowledge required to develop and implement an incident response plan. The results of the incident response plan must be evaluated if they affect the mission of the organisation.
National Codes, Titles, Elements and Performance Criteria
National Element Code & Title: |
ICTSAS524 Develop, implement and evaluate an incident response plan |
Element: |
1. Prepare to develop an incident response plan |
Performance Criteria: |
1.1 Identify and document organisational incident response plan requirements 1.2 Identify and document incident response team services according to organisational requirements 1.3 Identify incident response plan structure according to organisational requirements 1.4 Determine and document alignment of organisation’s existing incident response plan against identified requirements 1.5 Submit documentation to required personnel, seek and respond to feedback |
Element: |
2. Develop the incident response plan |
Performance Criteria: |
2.1 Develop and document incident management policy according to task requirements 2.2 Create incident response plans according to organisational requirements and security policies and procedures 2.3 Develop incident handling and reporting procedures 2.4 Create incident response exercises, red-teaming activities, staffing and training requirements 2.5 Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements 2.6 Establish and document incident the response plan |
Element: |
3. Implement the incident response plan |
Performance Criteria: |
3.1 Apply response actions to reported security incident according to incident response plan and task requirements 3.2 Assist in collecting, processing and preserving evidence according to requirements 3.3 Execute incident response plans, red-teaming activities and incident response exercises 3.4 Document security incident response and actions according to task requirements 3.5 Collect, analyse and report incident management measures according to task requirements |
Element: |
4. Evaluate incident response plans |
Performance Criteria: |
4.1 Assess and document efficiency and effectiveness of incident response plans activities 4.2 Examine and document effectiveness of red teaming and incident response tests, training and exercises 4.3 Assess effectiveness of communication between incident response team and required internal and external organisations 4.4 Determine and document response improvement activities 4.5 Submit documentation to required personnel and obtain final task sign off |
Learning Outcomes
On successful completion of this course you will have developed and applied the skills and knowledge required to demonstrate competency in the above elements.
Details of Learning Activities
Class lectures and discussions.
Class exercises.
Practical demonstration in a classroom.
Analysis of cybersecurity attacks.
Group project (working as a Red Team and as a Blue Team).
Group discussions.
Research work.
Teaching Schedule
Week |
Topic |
Assessment / Learning Activities |
Week #1 |
1. Identify and document organisational incident response plan requirements |
AT 1 |
Week #2 |
1. Identify and document incident response team services according to organisational requirements |
AT 1 |
Week #3 |
1. Identify incident response plan structure according to organisational requirements |
AT 1 AT 2 - Part 1 Released AT1 |
Week #4 |
1. Determine and document alignment of organisation’s existing incident response plan against identified requirements 2. Submit documentation to required personnel, seek, and respond to feedback |
AT 1 AT 2 - Part 1
|
Wee #5 |
1. Develop and document incident management policy according to task requirements |
AT 1 AT 2 - Part 1
|
Week #6 |
1. Create incident response plans according to organisational requirements and security policies and procedures |
AT 1 AT 2 - Part 2
|
Week #7 |
1. Develop incident handling and reporting procedures 2. Create incident response exercises, red-teaming activities, staffing and training requirements |
AT 1 AT 2 - Part 2 Released AT2 |
|
Mid-Semester Break (29 Mar – 07 Apr)
| ||
Week #8 |
1. Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements 2. Establish and document incident the response plan |
AT 1 AT 2 - Part 2
|
Week #9 |
1. Apply response actions to reported security incident according to incident response plan and task requirements |
AT 1 AT 2 - Part 3 Submitted AT1 (Due this week) |
Week #10 |
1. Assist in collecting, processing, and preserving evidence according to requirements |
AT 2 - Part 3 |
Week #11 |
1. Execute incident response plans, red-teaming activities, and incident response exercises |
AT 2 - Part 3 |
Week #12 |
1. Document security incident response and actions according to task requirements 2. Collect, analyse, and report incident management measures according to task requirements |
AT 2 - Part 4 |
Week #13 |
1. Assess and document efficiency and effectiveness of incident response plans activities
2. Examine and document effectiveness of red teaming and incident response tests, training, and exercises |
AT 2 - Part 4 |
Week #14 |
1. Assess effectiveness of communication between incident response team and required internal and external organisations 2. Determine and document response improvement activities 3. Submit documentation to required personnel and obtain final task sign off |
AT 2 - Part 4
AT 2 - Part 5 |
Week #15 |
Course & assessment feedback |
Submit AT2 (Due this week) |
Week #16 |
Course & assessment feedback |
|
Week #17 |
Re-submission if required |
|
Week #18 |
Re-submission if required |
|
Learning Resources
Prescribed Texts
References
Other Resources
The University Library has extensive resources and provides subject specialist expertise, research advice, help with referencing and support through:
The Learning Lab:
https://www.rmit.edu.au/students/study-support/learning-lab
The Study Support Hub:
https://www.rmit.edu.au/students/study-support/study-support-hub
Overview of Assessment
Assessment for this course is ongoing throughout the semester. Your knowledge and understanding of course content is assessed through participation in class exercises, oral/written presentations and through the application of learned skills and insights. Full assessment briefs will be provided and can be found on CANVAS
Assessment Tasks
1. Assessment Task 1 - Knowledge Task Questions
2. Assessment Task 2 (Project) - Practical Assessment Task
Assessment Matrix
Element |
Performance criteria |
|
|
|
|
Assessment Task 1: AT 1 |
Assessment Task 2: AT 2 |
1. Prepare to develop an incident response plan |
1.1 Identify and document organisational incident response plan requirements
|
Q14, Q16, Q17 |
Part 1 |
|
1.2 Identify and document incident response team services according to organisational requirements
|
Q17, Q18 |
Part 1 |
|
|
1.3 Identify incident response plan structure according to organisational requirements
|
Q14, Q16 |
Part 1 |
|
|
1.4 Determine and document alignment of organisation’s existing incident response plan against identified requirements
|
Q14, Q15, Q16 |
Part 1 |
|
|
1.5 Submit documentation to required personnel, seek and respond to feedback
|
|
Part 1 |
|
2. Develop the incident response plan |
2.1 Develop and document incident management policy according to task requirements
|
|
Part 2, Part 4 |
|
2.2 Create incident response plans according to organisational requirements and security policies and procedures
|
Q16, Q17 |
Part 2, Part 4 |
|
|
2.3 Develop incident handling and reporting procedures
|
|
Part 2, Part 4 |
|
|
2.4 Create incident response exercises, red-teaming activities, staffing and training requirements
|
|
Part 2, Part 3, Part 4 |
|
|
2.5 Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements
|
|
Part 2, Part 4 |
|
|
2.6 Establish and document incident the response plan
|
|
Part 2, Part 4 |
|
3. Implement the incident response plan |
3.1 Apply response actions to reported security incident according to incident response plan and task requirements
|
|
Part 4 |
|
3.2 Assist in collecting, processing and preserving evidence according to requirements
|
|
Part 4 |
|
|
3.3 Execute incident response plans, red-teaming activities and incident response exercises
|
|
Part 4 |
|
|
3.4 Document security incident response and actions according to task requirements
|
|
Part 4 |
|
|
3.5 Collect, analyse and report incident management measures according to task requirements
|
|
Part 4 |
|
4. Evaluate incident response plans |
4.1 Assess and document efficiency and effectiveness of incident response plans activities
|
|
Part 5 |
|
4.2 Examine and document effectiveness of red teaming and incident response tests, training and exercises
|
|
Part 5 |
|
|
4.3 Assess effectiveness of communication between incident response team and required internal and external organisations
|
|
Part 5 |
|
|
4.4 Determine and document response improvement activities
|
|
Part 5 |
|
|
4.5 Submit documentation to required personnel and obtain final task sign off
|
|
Part 5 |
Other Information
Attendance:
Your learning experience will involve class-based teaching, discussion, demonstration, and practical exercises.
It is strongly advised that you attend all timetabled sessions. This will allow you to engage in the required learning activities, ensuring you the maximum opportunity to complete this course successfully.
Information about your studies:
You can access My Studies through the RMIT website for information about timetables, important dates, assessment dates, results and progress, Canvas etc.
https://www.rmit.edu.au/students
Assessment:
Information on assessment including Special consideration, Adjustments to assessment, (e.g., applying for an extension of time):
https://www.rmit.edu.au/students/student-essentials/assessment-and-exams/assessment
Academic Integrity and Plagiarism:
RMIT University has a strict policy on plagiarism and academic integrity. Please refer to the website for more information on this policy.
https://www.rmit.edu.au/students/student-essentials/assessment-and-exams/academic-integrity
Credit Transfer and Recognition of Prior Learning:
Credit transfer is the recognition of previously completed formal learning (an officially accredited qualification).
Recognition of Prior Learning (RPL) is an assessment process that allows you to demonstrate competence using the skills you have gained through experience in the workplace, voluntary work, informal or formal training or other life experiences.
Please speak to your teacher if you wish to discuss applying for Credit Transfer or RPL for the unit(s) of competency addressed in this course.
https://www.rmit.edu.au/students/student-essentials/enrolment/apply-for-credit
Course Overview: Access Course Overview