5.11-Turn over Mission related Documents
Task Turn Over Mission Related Documents: Turn-Over incident mission-related documentation to the supported Mission Partner (MP).¶
Conditions¶
Given an IR Team deployed supporting a designated MP in Cyber Incident Recovery.
Standards¶
Upon moving into the Recovery Phase, the IR Team should gather and prepare the following items for turn-over to the supported mission partner:
- Mission Logs
- Accounts Added
- Ports Opened
- Software Installed
- Network Maps
- System and Network Configuration Information
- Team Chats
- Emails
- Wall Notes
- System Logs
- Packet Captures
- Malware Samples
- Others
This list is not exhaustive. If the IR Team produces it during mission, it should be considered an artifact and turned over to the supported MP.
End State¶
The IR Team provides all mission logs, journals, and incident response artifacts to the supported MP in keeping with any Non-Disclosure Agreement stipulations. The IR Team Team Leader ensures that team members do not keep any response related documentation unless approved by the supported MP for future training opportunities.
Notes¶
IR Team personnel should be aware that during incident response that any/all notes, logs, journals, diagrams, etc... that they create belong to the supported MP. It is imperative that this policy be strictly followed to ensure trust is maintained with the supported MP.
References¶
NIST Cyber Security Framework
NIST SP 800-184: Guide to Cyber Event Recovery