Security Incident Web/BBS Defacement workflow template

The Security Incident - Web/BBS Defacement - Template allows you to perform a series of tasks designed to handle vandalism directed against one of your organization's BBS or web sites.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set to Web/BBS defacement. This action causes a response task to be created for the first activity in the workflow.

Web/BBS Defacement Template

Procedure

  1. Open the security incident for this occurrence of web or BBS defacement, or create a new security incident.
  2. In Category, select Web/BBS defacement.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
    Table 1. Response tasks in Web/BBS Defacement Template
    Response task Action Results
    Security incident assignment Create a security incident for each reported incident of website or BBS defacement. The next response task is created.
    Defacement verified? Determine whether the website or BBS has in fact been defaced.

    In the task, select Yes or No in Outcome.

    If you select Yes, the following response tasks are created:
    • PR process
    • Law enforcement process
    • Determine and eradicate root cause
    If you select No, the workflow ends.
    PR process Perform the steps necessary to notify the public that the website or BBS has been defaced.

    When you are finished with the PR process, set the state of the task to Complete or Incomplete as appropriate.

    The Lessons learned meeting task is created.
    Law enforcement process Perform the steps required to engage the appropriate law enforcement agencies regarding the attack.

    When you are finished, set the state of the task to Complete or Incomplete as appropriate.

    The Lessons learned meeting task is created.
    Determine and eradicate root cause Perform the steps necessary to discover and eliminate the root cause of the defacement.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is created.
    Restore site from backup Perform the steps required to back up and restore the website or BBS.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is created.
    Test and verify site is restored Verify that the site is restored.

    When you are finished, set the state of the task to Complete or Incomplete as appropriate.

    The Lessons learned meeting task is created.
    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this website/BBS defacement incident.

    Update the State field in the task as appropriate.

    If you change the state of the task to Closed Complete or Cancelled, the Set state to review task is created.
    Set state to review No action required. The State of the security incident is changed automatically to Review.

    The workflow ends.