The Computer Incident Handling Capability (Incident Management Program) enables an agency to proactively monitor, detect and respond to computer incidents such as unauthorized system and network access, virus infections, etc. dnc corp's proposed solution for implementing a proactive and effective program consists of the following:

• Determining the goals of the Computer Incident Response Team (CIRT) team;
• Defining CIRT constituency;
• Promoting the awareness of the CIRT team throughout the Agency;
• Establishing a hotline capability for the CIRT Team (24x7 coverage) to include: secure phone, secure FAX, secure e-mail, and pager;
• Developing early warning systems for security vulnerability notices to include: early warning notices of vulnerabilities, vendor initiated alerts; other security team or agency alerts, and security incidents related alerts;
• Determining communication paths for CIRT, Agency technical points-of-contact, and appropriate Agency senior managers when reporting and responding to security incidents;
• Determining appropriate law enforcement points-of-contact and establishing communication channels;
• Developing incident response procedures to include guidance on maintaining the chain of evidence, electronic incident reporting, and electronic incident activity log;
• Determining the scope of each incident and what data needs to be gathered for the incident being investigated or whether an incident actually occurred; and
• Conducting post incident analysis to determine how the incident started, what system or network vulnerabilities were exploited, how access was gained to the system, how quickly and efficiently CIRT responded to the incident, and whether the procedures in place were sufficient.

Effective and Efficient

As a result of years of implementing incident management programs, dnc corp has developed program modules tailored to ensure the best solution for its clients. Examples of these are:

• Alert/Early Warning System: dnc corp will monitor alerts and notices posted by vendors and incident response-related entities and provide advice to the client as to validity, relevancy, and impact to the client's environment.
• Incident Handling Procedures: dnc corp will assist the client in developing effective incident handling procedures to include coordination with law enforcement agencies, the Office of Inspector General, and emergency response and investigation procedures.
• Computer Incident Response Team (CIRT): dnc corp will provide technical staff with expertise in the information technology platforms specific to the client environment to assist in responding to and investigating computer incidents.
• Intrusion Detection/Monitoring Tools: dnc corp will recommend, procure, and configure a set of intrusion detection/monitoring tools comprised of commercial off-the-shelf (COTS) products, freeware, and shareware. These tools will effectively monitor the client's operating environment. dnc corp will also identify limitations of these tools, and recommend supplemental manual or procedural safeguards.
• System or Security Manager's Automated Response Tool (SoSmart): dnc corp will fully develop this tool, which integrates multiple intrusion detection and monitoring tools, provides integrated diagnostic capability, and implements automated response functions to include paging, e-mail, termination of IP addresses, and decoy setup.
• Computer Incident Tracking System (CITS): dnc corp will customize its CITS to fit the client's operating environment and computer incident handling process to enable effective tracking, reporting, and immediate, short-term advice on incident response.
• Audit Diagnostic Tools: dnc corp will develop tools that perform diagnostics. These tools extract pertinent information from audit trails of multiple platforms and products, including Windows NT and firewalls, to facilitate identification of potential anomalies