Course Title: Develop, implement and evaluate an incident response plan
Part B: Course Detail
Teaching Period: Term2 2025
Course Code: COSC7419C
Course Title: Develop, implement and evaluate an incident response plan
Important Information:
Please note that this course may include compulsory in-person attendance requirements for some or all teaching activities.
It is recommended that you check your Canvas course shell closer to the course start date for details about any mandatory in-person attendance requirements.
Please be aware that the course delivery method may need to change quickly in response to evolving course requirements. Students must maintain regular communication with their teachers to stay informed about any updates.
School: 520T Future Technologies
Campus: City Campus
Program: C5402 - Diploma of Information Technology
Course Contact: Haroon Bhutta
Course Contact Phone: +61 3 9925 4612
Course Contact Email: haroon.bhutta@rmit.edu.au
Name and Contact Details of All Other Relevant Staff
Nominal Hours: 30
Regardless of the mode of delivery, represent a guide to the relative teaching time and student effort required to successfully achieve a particular competency/module. This may include not only scheduled classes or workplace visits but also the amount of effort required to undertake, evaluate and complete all assessment requirements, including any non-classroom activities.
Pre-requisites and Co-requisites
None
Course Description
In this course you will gain the skills and knowledge required to develop and implement an incident response plan. The results of the incident response plan must be evaluated if they affect the mission of the organisation.
National Codes, Titles, Elements and Performance Criteria
National Element Code & Title: |
ICTSAS524 Develop, implement and evaluate an incident response plan |
Element: |
1. Prepare to develop an incident response plan |
Performance Criteria: |
1.1 Identify and document organisational incident response plan requirements 1.2 Identify and document incident response team services according to organisational requirements 1.3 Identify incident response plan structure according to organisational requirements 1.4 Determine and document alignment of organisation’s existing incident response plan against identified requirements 1.5 Submit documentation to required personnel, seek and respond to feedback |
Element: |
2. Develop the incident response plan |
Performance Criteria: |
2.1 Develop and document incident management policy according to task requirements 2.2 Create incident response plans according to organisational requirements and security policies and procedures 2.3 Develop incident handling and reporting procedures 2.4 Create incident response exercises, red-teaming activities, staffing and training requirements 2.5 Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements 2.6 Establish and document incident the response plan |
Element: |
3. Implement the incident response plan |
Performance Criteria: |
3.1 Apply response actions to reported security incident according to incident response plan and task requirements 3.2 Assist in collecting, processing and preserving evidence according to requirements 3.3 Execute incident response plans, red-teaming activities and incident response exercises 3.4 Document security incident response and actions according to task requirements 3.5 Collect, analyse and report incident management measures according to task requirements |
Element: |
4. Evaluate incident response plans |
Performance Criteria: |
4.1 Assess and document efficiency and effectiveness of incident response plans activities 4.2 Examine and document effectiveness of red teaming and incident response tests, training and exercises 4.3 Assess effectiveness of communication between incident response team and required internal and external organisations 4.4 Determine and document response improvement activities 4.5 Submit documentation to required personnel and obtain final task sign off |
Learning Outcomes
On successful completion of this course the candidate will demonstrate the ability to complete the tasks outlined in the elements, performance criteria and foundation skills of this unit.
Details of Learning Activities
- Class lectures and discussions.
- Class exercises.
- Practical work, discussion and demonstration in a classroom.
- Use different resources for cybersecurity different attacks to find, research, analyse and explore new ideas to discuss.
- Knowledge quiz assessment to understand the importance organisational data and how to protect it for and during cyberattacks.
- Practical assessment (group work in simulated environment as Red Team and as Blue Team to develop, implement, and evaluate an incident response plan for cybersecurity during cyberattacks within hypothetical organisation).
- Group work discussions.
- Extensive research work.
- Analytical thinking and approaches for cybersecurity different cyberattacks.
Teaching Schedule
Week |
Topic |
Assessment / Learning Activities |
Week #1 |
1. Identify and document organisational incident response plan requirements |
Assessment Task 1 - Knowledge Task Questions |
Week #2 |
1. Identify and document incident response team services according to organisational requirements |
Assessment Task 1 - Knowledge Task Questions |
Week #3 |
1. Identify incident response plan structure according to organisational requirements |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 1 Released Assessment Task 1 - Knowledge Task Questions |
Week #4 |
1. Determine and document alignment of organisation’s existing incident response plan against identified requirements 2. Submit documentation to required personnel, seek, and respond to feedback |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 1 |
Week #5 |
1. Develop and document incident management policy according to task requirements |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 1 |
Week #6 |
1. Create incident response plans according to organisational requirements and security policies and procedures |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 2 |
Week #7 |
1. Develop incident handling and reporting procedures 2. Create incident response exercises, red-teaming activities, staffing and training requirements |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 2 Released Assessment Task 2 - Practical Assessment |
|
Mid-Semester Break (01 September 2025 – 05 September 2025) | ||
Week #8 |
1. Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements 2. Establish and document incident the response plan |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 2 |
Week #9 |
1. Apply response actions to reported security incident according to incident response plan and task requirements |
Assessment Task 1 - Knowledge Task Questions Assessment Task 2 - Practical Assessment Task: Part 3 Assessment Task 1 - Knowledge Task Questions (Due this Week) |
Week #10 |
1. Assist in collecting, processing, and preserving evidence according to requirements |
Assessment Task 2 - Practical Assessment Task: Part 3 |
Week #11 |
1. Execute incident response plans, red-teaming activities, and incident response exercises |
Assessment Task 2 - Practical Assessment Task: Part 2 & Part 3 |
Week #12 |
1. Document security incident response and actions according to task requirements 2. Collect, analyse, and report incident management measures according to task requirements |
Assessment Task 2 - Practical Assessment Task: Part 2 & Part 3 & Part 4 |
Week #13 |
1. Assess and document efficiency and effectiveness of incident response plans activities 2. Examine and document effectiveness of red teaming and incident response tests, training, and exercises |
Assessment Task 2 - Practical Assessment Task: Part 2 & Part 3 & Part 4 |
Week #14 |
1. Assess effectiveness of communication between incident response team and required internal and external organisations 2. Determine and document response improvement activities 3. Submit documentation to required personnel and obtain final task sign off |
Assessment Task 2 - Practical Assessment Task: Part 2 & Part 3 & Part 4 & Part 5 |
Week #15 |
Course & assessment feedback |
Assessment Task 2 - Practical Assessment (Due this Week) |
Week #16 |
Course & assessment feedback |
|
Week #17 |
Re-submission if required |
|
Week #18 |
Re-submission if required |
Learning Resources
Prescribed Texts
References
Other Resources
The University Library has extensive resources and provides subject specialist expertise, research advice, help with referencing and support through:
The Learning Lab:
https://www.rmit.edu.au/students/study-support/learning-lab
The Study Support Hub:
https://www.rmit.edu.au/students/study-support/study-support-hub
Overview of Assessment
Assessment for this course is ongoing throughout the semester. Your knowledge and understanding of course content is assessed through participation in class exercises and various types of assessments.
Full assessment briefs will be provided and can be found on CANVAS.
Assessment Tasks
1. AT1-Knowledge Quiz Assessment
2. AT2-Practical Assessment
Assessment Matrix
Element |
Performance criteria |
||
|
Assessment Task 1: AT 1 |
Assessment Task 2: AT 2 |
||
1. Prepare to develop an incident response plan |
1.1 Identify and document organisational incident response plan requirements |
Q14, Q16, Q17 |
Part 1 |
|
1.2 Identify and document incident response team services according to organisational requirements |
Q17, Q18 |
Part 1 |
|
|
1.3 Identify incident response plan structure according to organisational requirements |
Q14, Q16 |
Part 1 |
|
|
1.4 Determine and document alignment of organisation’s existing incident response plan against identified requirements |
Q14, Q15, Q16 |
Part 1 |
|
|
1.5 Submit documentation to required personnel, seek and respond to feedback |
Part 1 |
||
2. Develop the incident response plan |
2.1 Develop and document incident management policy according to task requirements |
Part 2, Part 4 |
|
|
2.2 Create incident response plans according to organisational requirements and security policies and procedures |
Q16, Q17 |
Part 2, Part 4 |
|
|
2.3 Develop incident handling and reporting procedures |
Part 2, Part 4 |
||
|
2.4 Create incident response exercises, red-teaming activities, staffing and training requirements |
Part 2, Part 3, Part 4 |
||
|
2.5 Develop procedure for collecting and protecting forensic evidence during incident response procedures according to organisational requirements |
Part 2, Part 4 |
||
|
2.6 Establish and document incident the response plan |
Part 2, Part 4 |
||
3. Implement the incident response plan |
3.1 Apply response actions to reported security incident according to incident response plan and task requirements |
Part 4 |
|
|
3.2 Assist in collecting, processing and preserving evidence according to requirements |
Part 4 |
||
|
3.3 Execute incident response plans, red-teaming activities and incident response exercises |
Part 4 |
||
|
3.4 Document security incident response and actions according to task requirements |
Part 4 |
||
|
3.5 Collect, analyse and report incident management measures according to task requirements |
Part 4 |
||
4. Evaluate incident response plans |
4.1 Assess and document efficiency and effectiveness of incident response plans activities |
Part 5 |
|
|
4.2 Examine and document effectiveness of red teaming and incident response tests, training and exercises |
Part 5 |
||
|
4.3 Assess effectiveness of communication between incident response team and required internal and external organisations |
Part 5 |
||
|
4.4 Determine and document response improvement activities |
Part 5 |
||
|
4.5 Submit documentation to required personnel and obtain final task sign off |
Part 5 |
Other Information
Attendance:
Your learning experience will involve class-based teaching, discussion, demonstration, and practical exercises.
It is strongly advised that you attend all timetabled sessions. This will allow you to engage in the required learning activities, ensuring you the maximum opportunity to complete this course successfully.
Credit Transfer and/or Recognition of Prior Learning (RPL):
You may be eligible for credit towards courses in your program if you have already met the learning/competency outcomes through previous learning and/or industry experience. To be eligible for credit towards a course, you must demonstrate that you have already completed learning and/or gained industry experience that is:
- Relevant
- Current
- Satisfies the learning/competency outcomes of the course
Please refer to http://www.rmit.edu.au/students/enrolment/credit to find more information about credit transfer and RPL
Study and learning Support:
Study and Learning Centre (SLC) provides free learning and academic development advice to you.
Services offered by SLC to support your numeracy and literacy skills are:
- assignment writing, thesis writing and study skills advice
- maths and science developmental support and advice
- English language development
Please Refer http://www.rmit.edu.au/studyandlearningcentre to find more information about Study and learning Support
Apply for credit
If you have undertaken relevant prior study or learning, you can apply for this to count towards your current RMIT program.
Special consideration:
Please Refer http://www.rmit.edu.au/students/specialconsideration to find more information about special consideration
Plagiarism:
Plagiarism is a form of cheating and it is very serious academic offence that may lead to expulsion from the University.
Please Refer: www.rmit.edu.au/academicintegrity to find more information about plagiarism.
Other Information:
All email communications will be sent to your RMIT email address and you must regularly check your RMIT emails.
Extension of Time for submission of assessable work
A student may apply for an extension of up to 7 days from the original date. They must lodge the application form (available on the web:http://www1.rmit.edu.au/students/assessment/extension) at least the day before the due date. The application is lodged with the Program Coordinator, Tracey Salter, or with the School Admin Office on Level 6, Building 51. Students requiring longer extensions must apply for Special consideration.
Special consideration Policy (Late Submission)
Students requiring longer extensions must apply for Special consideration. Form available online at: http://www1.rmit.edu.au/students/specialconsideration/online.
For missed assessments such as exams and tests, you (and your doctor, if you are ill) must fill out a Special Consideration form. This form must be lodged at the HUB or online with supporting evidence (e.g. medical certificate) prior to, or within 48 hours of the scheduled time of the exam or test.
If you miss an assessment task due to unavoidable circumstances you need to follow the procedure of special consideration and apply within the allowed time frame.
Course Overview: Access Course Overview