Skip to content

5.11-Turn over Mission related Documents

Conditions

Given an IR Team deployed supporting a designated MP in Cyber Incident Recovery.

Standards

Upon moving into the Recovery Phase, the IR Team should gather and prepare the following items for turn-over to the supported mission partner:

  • Mission Logs
  • Accounts Added
  • Ports Opened
  • Software Installed
  • Network Maps
  • System and Network Configuration Information
  • Team Chats
  • Emails
  • Wall Notes
  • System Logs
  • Packet Captures
  • Malware Samples
  • Others

This list is not exhaustive. If the IR Team produces it during mission, it should be considered an artifact and turned over to the supported MP.

End State

The IR Team provides all mission logs, journals, and incident response artifacts to the supported MP in keeping with any Non-Disclosure Agreement stipulations. The IR Team Team Leader ensures that team members do not keep any response related documentation unless approved by the supported MP for future training opportunities.

Notes

IR Team personnel should be aware that during incident response that any/all notes, logs, journals, diagrams, etc... that they create belong to the supported MP. It is imperative that this policy be strictly followed to ensure trust is maintained with the supported MP.

References

NIST Cyber Security Framework
NIST SP 800-184: Guide to Cyber Event Recovery

Revision History