ICTSAS524

DEVELOP, IMPLEMENT AND EVALUATE AN

INCIDENT RESPONSE PLAN

ICT50220

DIPLOMA OF INFORMATION TECHNOLOGY

_______________________________________

STUDENT ASSESSMENT
_______________________________________

KINGSTON INSTITUTE OF AUSTRALIA

Level 7, 8 Quay Street, Haymarket (Sydney CBD) NSW 2000, Australia
Phone: 61 02 80652990.
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

INTRODUCTION

Purpose

This document provides necessary information to guide learners to undertake the

assessment of the following unit.

 ICTSAS524 Develop, implement and evaluate an incident response plan

Unit summary and application

This unit describes the skills and knowledge required to develop and implement an incident

response plan. The results of the incident response plan must be evaluated if they affect the

mission of the organisation.

It applies to individuals who apply high-level technical skills and specialised knowledge to

provide broad systems administration and support functions.

No licensing, legislative or certification requirements apply to this unit at the time of

publication.

Sector

Systems administration and support

Pre-requisites

There are no recommended pre-requisite units for this unit.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 2 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ASSESSMENT INFORMATION FOR STUDENTS

Throughout your training, Kingston Institute of Australia is committed to your learning by

providing a training and assessment framework that ensures the knowledge gained through
training are translated into practical on the job improvements.

You are going to be assessed for:

 Your skills, knowledge using written, and observation activities that apply to the
workplace or a simulated environment.

 Your ability to apply your learning.

 Your ability to recognize common principles and actively use these on the job.

All of your assessment and training is provided as a positive learning tool. Your assessor will
guide your learning and provide feedback on your responses to the assessment materials
until you have been deemed competent in this unit.

Assessment Process

The process we follow is known as competency-based assessment. To achieve competency

in this unit, you need to consider the components of the training package and fulfill the
assessment requirements. Some of the components are Elements, Performance Criteria,
Performance Evidence, Knowledge Evidence and Assessment Conditions. For more details
on components, please visit the following links and search for the unit using the unit code;

https://training.gov.au/Training/Details

In competency-based assessment, the evidence of your current skills and knowledge will be
measured against national standards of best practice, not against the learning you have
undertaken either recently or in the past. Some of the assessment will be concerned with
how you apply your skills and knowledge in the workplace, and some in the training room as
required by each unit.

The assessment tasks have designed to enable you to demonstrate the required skills and
knowledge and produce the critical evidence to successfully demonstrate competency at the
required standard.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 3 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Your assessor will explain the assessment process and ensure that you are ready for
assessment. Your assessment tasks will outline the evidence to be collected and how it will
be collected, for example; a written activity, case study, or demonstration and observation.

If you have any special needs to be considered during assessment, changes can be made to
the way assessment is undertaken to account for special needs and this is called making
reasonable adjustment.

Reasonable Adjustments

The institute makes reasonable adjustments to assessments and assessment conducting

process, to meet the special needs of identified students. Reasonable adjustments are made
in such a way that the identified students do not use it to take extra advantage than other.

What if I believe I am already competent before training?

If you believe you already have the knowledge and skills to be able to demonstrate
competency in this unit, speak with your trainer, as you may be able to apply for Recognition
of Prior Learning (RPL).

Credit Transfer

Credit transfer is a recognition for study you have already completed. To receive Credit
Transfer, you must be enrolled in the relevant program. Credit Transfer can be granted if you
provide the institute with certified copies of your qualifications, a Statement of Attainment or
a Statement of Results along with Credit Transfer Application Form. (For further information,
please visit Credit Transfer Policy of the institute)

Assessor Responsibilities

Assessors need to be aware of their responsibilities and carry them out appropriately. To do
this they need to:

 Ensure the students read and understand ‘Assessment Information for Students’ prior
conducting the assessments.

 Ensure the students are assessed fairly base on the outcome of the language, literacy
and numeracy review completed at enrolment.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 4 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

 Ensure that all documentation is sign by the student, trainer, and assessor when units
and certificates are complete, to ensure that there is no follow-up required from the
administration perspective.

 Ensure that their own qualifications are current.

 When required, request the manager or supervisor to determine that the student is
‘satisfactorily’ demonstrating the requirements for each unit. ‘Satisfactorily’ means
consistently meeting the standard expected from an experienced operator.

 When required, ensure supervisors and students sign off on third party assessment
forms or third party report.

 Follow the recommendations from moderation and validation meetings.

WHS Guidelines

The institute seeks to ensure the health and safety of everyone in its workplaces. Meanwhile
as a duty of care, all employees, students and visitors of the institute are to ensure their own
and others health and safety while at the institute’s premises. Your trainer/assessor will
inform you of the WHS guidelines that you should follow in and out of the classes and in the
workplace environment.

How can I get resources to prepare for the assessments?

Resources Description

Learner resource You can get learner resource that contains detail explanation of the
syllabus of the unit, from the Library or College Administration Office.

PPT slides You can download PPT slides from your Moodle account or get it
from the Trainer, upon request.

Additional You can get additional resources in the form of PDF files, URLs,
Resources Videos, etc. from the Moodle. Additional books and print outs are
also available from the Library of the college.

How should I format my assessments?

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 5 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

You can download the document the institute’s ‘Style Guide’ from your Moodle account. The
Style Guide has all instructions on how to format your assessment. It includes information
related to the required Font Type/Size/Color, Indents, Spacing, Bullets, Numbering, etc.

How long should my answers be?

The length of your answers will be guided by the description in each assessment, for
example:

Type of Answer Answer Guidelines

Short Answer 4 typed lines = 50 words, or

5 lines of handwritten texts

Long Answer 8 typed lines = 100 words, or

1
10 lines of handwritten texts = of a foolscap page
3

Brief Report 500 words = 1 page typed report, or

1
50 lines of handwritten texts = 1 foolscap handwritten pages
2

Mid Report 1,000 words = 2 page typed report

100 lines of handwritten texts = 3 foolscap handwritten pages

Long Report 2,000 words = 4 page typed report

200 lines of handwritten texts = 6 foolscap handwritten pages

In case if any variation is needed in the length of the answers, your trainer will give you the
instructions.

How should I reference the sources of information I use in my assessments?

Include a reference list at the end of your work on a separate page. You should reference
the sources you have used in your assessments using the referencing style suggested by
your Trainer.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 6 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

How should I submit the assessments?

You must consider the following important points before you submit your assessment.

 You must submit the assessments of a unit in PDF format or Word format as
suggested by the trainer/assessor, by the ‘Due Date’ mentioned in the submission
portal of your Institute’s Moodle account

 If needed, your trainer may separate the assessments and set different due dates for
different assessments, assessment cover sheet and student declaration forms.

 If there is a single due date for all assessments, submit them in a same single
assessment file that you download from your Moodle account.

 In both cases, you must complete the assessment cover sheet and student declaration
section available to you along with the assessment package.

 Any evidence that may not be suitable to include inside the assessment package, may
be submitted separately in submission portal of the Moodle, after consultation with the
trainer/assessor.

 Before submission, you must ensure all required tasks are completed and evidences
are submitted. Your assessor may not accept your submission if an incomplete
assessment is submitted.

 If you face any technical problem during the submission of assessments in the Moodle,
please notify the college administration or the assessor with proper evidence of the
problem, prior to the Due Date.

How does the college ensure fairness, flexibility, validity and reliability of the
assessment?

To help students achieve competency in a unit, the institute may use different methods for
assessments. In the process, the institute ensures the principle of fairness, flexibility, validity
and reliability are met through the following ways;

Fairness

 The institute ensures the student is fully informed of the assessment process and that
the student has to fill declaration form before the start of the assessment.
 Student can also transfer the credit if the competency has already been achieved by
the student.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 7 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

 For if the student wants recognition of prior learning (RPL), the institute makes it
available, upon request.
 To address the special needs of any student, reasonable adjustments can be made to
the assessment through contextualization.
 If the student is not satisfied with the grading of the unit, he/she can go for an appeal
process, challenge the assessment decision and have the assessment reviewed
objectively.
Flexibility
 The institute uses a range of assessment methods to allow student to demonstrate
competency in a varieties of ways. These methods can be written activity, practical
activity, observation and demonstration, case study, etc.
 For if the student wants recognition of prior learning (RPL), the institute makes it
available, upon request. Adjustments will be made on the training and assessment of
that student.
 Based on the institute’s Assessment Policy, multiple chances are given to the students
for assessment submission and additional training can be arranged in case if
competency is not yet achieved, even after the regular effort of the assessor and the
students.
Validity
 The institute ensures the assessment tasks used to assess student’s competency for
each unit fulfil assessment requirements for performance evidence, knowledge
evidence, performance criteria and foundation skills, as mentioned in the Training
Package of the Unit of Competency.
 Students are given opportunity to demonstrate skills by actually doing practical tasks
than just theoretical explanation and by providing various ways to demonstrate the
skills.
Reliability
 To ensure reliability in assessment grading, the institute has created an efficient
assessment system. Assessors are provided with learner resources, PPT slides and
assessment guide, so that there is consistency in assessment grading even when
different assessors are grading the assessments.
 Assessors are asked to provide feedback on student assessments and also fill the
marking guide on each assessment of the students.

How does the assessor make decisions during the assessment grading?

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 8 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

The students are declared competent by the assessor only if the knowledge and
performance evidences submitted by the student are valid, sufficient, authentic and current,
and if the student demonstrate the required foundation skills, during observation and
demonstration.

Validity
To ensure the validity of evidence submitted by you, during grading the assessor will ensure
your performance matches the performance requirement as described in the competency
standard. This is why you should be able to demonstrate the required knowledge and skills
through your evidences, to ensure your evidences are valid.

Sufficiency
To ensure the sufficiency of evidences submitted by you, the institute ensures the
assessment tools being used are valid and reliable to collect all required evidences as
described in the competency standard. During grading, the assessor will ensure that you
provide all required evidences as per the assessor’s checklist for each assessment. This is
why you should always consult with the assessor and read the assessment requirements for
the unit to ensure the evidences are sufficient.
Authenticity
To ensure the authenticity of evidence submitted by you, the assessor, when in doubt, may
compare your assessment with a group of other assessments and resources from the
internet, and check for similarity. Meanwhile during moderation of assessment, a team from
the institute may identify similarities in different assessments. As long as the assessments
are similar to an acceptable range as per the Student Assessment Policy and Procedure of
the institute, your assessment will be deemed authentic. This is why you should ensure your
assessment is your own work and that references are given if resources are used from the
internet.
Plagiarism is not accepted in Australian education system and at the institute. You should
not practice any plagiarism in your assessments or any other works. Plagiarism practices
may affect your results of the assessment as well as your student visa. Student Assessment
Policy and Procedure is shared in every orientation event during every intake. This policy’s
hard copy is kept at the reception desk of the institute.
Currency
To ensure the currency of evidence submitted by you, the institute performs validation
activities of assessment that involves checking that your assessment tools have produced
valid, reliable, sufficient, current and authentic evidence. Meanwhile, the trainer/assessor will
continuously observe your performance during the training period. The trainer/assessor may

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 9 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ask you to demonstrate the required skills in the simulated environment or the workplace
environment. You can ensure your evidences are current by attending the training on a
regular basis and demonstrating the knowledge and performance evidences under the
observation of the trainer/assessor.

What happens after the submission of assessments and in case of no

submission?

After the submission of assessment, your assessor will grade your assessment and take
different actions at different stages of grading and feedback process. Please adhere to the
Student Assessment Policy and Procedure for more details on how the grading and
feedback process will occur and what will happen if no submission of assessment is made.

What if you disagree on the assessment outcome?

You can appeal against a decision made in regards to your assessment. You should only
appeal again a decision made if you have been assessed as ‘Not Yet Competent (NYC)’
against a specific unit and you feel you have sufficient grounds to believe that you should be
assessment as competent. You must be able to demonstrate that you have the skills and
experience to be able to meet the requirements of units you are appealing the assessment
of.

Your trainer will outline the appeals process, which is available to the student. You can
request a form to make an appeal and submit it to your trainer, the course coordinator, or the
administration officer. The institute will examine the appeal and you will be advised of the
outcome within 14 days. Any additional information you wish to provide may be attached to
the appeal form.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 10 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 11 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ASSESSMENT GUIDE
The following table shows you how to achieve a satisfactory (S) result against the criteria for
each type of assessment task. The following is a list of general assessment methods that
can be used in assessing a unit of competency. Check your assessment tasks to identify the
ones used in this unit of competency.

Assessment Method Satisfactory(S) Result Not Yet Satisfactory (NYS)

Result

You will receive an overall result of Competent (C) or Not Yet Competent (NYC) for the
unit. The assessment process is made up of a number of assessment methods. You are
required to achieve a satisfactory result in each of these to be deemed competent overall.
Meanwhile, you must demonstrate satisfactory foundation skills to the assessor, during the
observation of demonstration of the assessment tasks, and through the submission of
evidences. Your assessment may include the following assessment types.

Questions All questions answered Incorrect answers for one or

correctly more questions

Answers address the Answers do not address the

question in full; referring to question in full. Does not refer
appropriate sources from to appropriate or correct
your workbook and/or sources.
workplace

Written Activity The assessor will mark the Does not follow
activity against the detailed guidelines/instructions
guidelines/instructions

Attachments if requested are Requested supplementary

attached items are not attached

All requirements of the Response does not address the

written activity are requirements in full; is missing a
addressed/covered. response for one or more
areas.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 12 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Assessment Method Satisfactory(S) Result Not Yet Satisfactory (NYS)

Result

You will receive an overall result of Competent (C) or Not Yet Competent (NYC) for the
unit. The assessment process is made up of a number of assessment methods. You are
required to achieve a satisfactory result in each of these to be deemed competent overall.
Meanwhile, you must demonstrate satisfactory foundation skills to the assessor, during the
observation of demonstration of the assessment tasks, and through the submission of
evidences. Your assessment may include the following assessment types.

Responses must refer to One or more of the

appropriate sources from requirements are answered
your workbook and/or incorrectly.
workplace
Does not refer to or utilize
appropriate or correct sources
of information

Observation/ All elements, criteria, Could not demonstrate

knowledge and performance elements, criteria, knowledge
Demonstration
evidence and critical aspects and performance evidence
of evidence, are and/or critical aspects of
demonstrated at the evidence, at the appropriate
appropriate AQF level AQF level

Case Study All comprehension questions Lack of demonstrated

answered correctly; comprehension of the
demonstrating an application underpinning knowledge
of knowledge of the topic (remove) required to complete
case study. the case study questions
correctly. One or more
questions are answered
incorrectly.

Answers address the Answers do not address the

question in full; referring to question in full; do not refer to
appropriate sources from appropriate sources.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 13 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Assessment Method Satisfactory(S) Result Not Yet Satisfactory (NYS)

Result

You will receive an overall result of Competent (C) or Not Yet Competent (NYC) for the
unit. The assessment process is made up of a number of assessment methods. You are
required to achieve a satisfactory result in each of these to be deemed competent overall.
Meanwhile, you must demonstrate satisfactory foundation skills to the assessor, during the
observation of demonstration of the assessment tasks, and through the submission of
evidences. Your assessment may include the following assessment types.

your workbook and/or

workplace

Practical Activity All tasks in the practical Tasks have not been completed
activity must be competed effectively and evidence of
and evidence of completion completion has not been
must be provided to your provided.
trainer/assessor.

All tasks have been

completed accurately and
evidence provided for each
stated task.

Attachments if requested are Requested supplementary

attached items are not attached

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 14 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ASSESSMENT SUMMARY/COVER SHEET

Assessment Cover Sheet

Course code/name: ICT50220 Diploma of Information Technology

Unit code/name: ICTSAS524 Develop, implement and evaluate an incident response plan

Assessor’s name:

Student’s name: Abdul Rehman Student ID: 1401883

Due Date: 21/05/2023

Submission date:

Student Declaration

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 15 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

I declare that;

 I am aware of the assessment process.

 I am aware of all the components of the assessments that includes assessment conditions,
knowledge and performance evidence, elements and performance criteria and foundation
skills.
 I am aware of the assessment tasks, requirements and due dates.
 I am aware of Kingston Institute of Australia’s assessment policy and appeal process.
 I am aware that plagiarism is not accepted in the institute.
 I am aware of my rights to appeal, if I am not satisfied with my results.
 The material I have submitted is my own work.
 I have kept a copy of all relevant notes and reference material that I used in the production of
my work.
 I am aware of WHS guidelines that should be followed at the institute and workplace
environment.
 I have given references for all sources of information that are not my own, including the
words, ideas and images of others.

Student Signature: _______________________ Date: ______________________

Assessment Outcome

Assessment Tasks Assessment Results

Assessment 1: Written Activity S

NYS

Assessment 2: Project S
NYS

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 16 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Feedback / Comments:

Overall Outcome

Competent Not yet Competent

Student Declaration:

 The result of my performance in this unit has been discussed and explained to me.

□ I want to make an appeal against the overall outcome of the assessments.

Student signature: _____________________ Date: _____________

Assessor Declaration:

 I declare that I have conducted a fair, flexible, valid and reliable assessment with the student and
that the evidence submitted to me are valid, sufficient, authentic and current.

Assessor’s Signature: __________________ Date: _____________

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 17 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ASSESSMENT 1- WRITTEN ACTIVITY

Questions:

Question 1: Answer the following questions:

A.) Provide any three features or benefits of having a business domain. Answer should be
between 50-100 words.

B.) Briefly explain the WHS Act, which is applied when developing incident and prevention
strategy. Answer should be between 50-100 words.

C.) What is the workplace procedure which applies for preventing and recovering from an
incident at the workplace? Answer should be between 50-100 words.

D.) What are the benefits of having recovery and prevention strategies at the workplace?
Answer should be between 40-80 words.

A.) Three features or benefits of having a business domain are:

i. Brand Identity: Having a business domain allows you to create a unique and

professional online presence for your brand. It helps in establishing credibility and

recognition among customers.

ii. Professional Email Addresses: A business domain enables you to create custom

email addresses that align with your brand, such as info@yourbusiness.com. This

enhances professionalism and builds trust with customers.

iii. Better Search Engine Ranking: Owning a domain name related to your business

improves your chances of ranking higher in search engine results. It makes it easier

for potential customers to find your website and increases your online visibility.

B.) The WHS Act refers to the Work Health and Safety Act, which is a legislation that applies

to workplaces in Australia. It outlines the legal framework and requirements for ensuring the

health and safety of workers and others in the workplace. When developing an incident and

prevention strategy, organizations must comply with the WHS Act by identifying and

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 18 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

assessing workplace risks, implementing measures to control those risks, providing training

and information to employees, and continuously monitoring and reviewing the effectiveness

of the strategy.

C.) The workplace procedure for preventing and recovering from an incident at the

workplace typically involves the following steps:

i. Prevention Measures: Implementing safety protocols, conducting risk assessments,

providing appropriate training to employees, and maintaining a safe working

environment to minimize the occurrence of incidents.

ii. Incident Reporting: Establishing a procedure for employees to promptly report any

incidents or hazards they observe in the workplace to ensure timely response and

investigation.

iii. Incident Response: Taking immediate action to address the incident, such as

providing medical assistance, securing the area, and notifying relevant authorities.

iv. Investigation and Analysis: Conducting a thorough investigation to determine the root

cause of the incident and analyzing factors that contributed to it.

v. Corrective Actions: Implementing measures to prevent similar incidents from

occurring in the future, such as updating procedures, improving training programs, or

making physical changes to the workplace.

D.) Having recovery and prevention strategies at the workplace offers several benefits,

including:

i. Employee Safety: Implementing these strategies helps create a safer work

environment, reducing the risk of injuries, accidents, and occupational illnesses. This

promotes the well-being of employees and boosts morale.

ii. Cost Savings: Preventing incidents and implementing effective recovery strategies

can save businesses significant costs associated with workers' compensation claims,

medical expenses, property damage, and legal liabilities.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 19 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

iii. Business Continuity: A well-prepared recovery strategy ensures that operations can

resume promptly after an incident, minimizing downtime and financial losses. It helps

maintain productivity and customer satisfaction.

iv. Compliance with Regulations: Having these strategies in place helps organizations

comply with legal requirements, such as the WHS Act. Compliance fosters trust with

stakeholders and protects the organization from legal penalties and reputational

damage.

Question 2: Briefly explain the following threat evaluation methodologies used in the ICT
industry:

 Qualitative threat analysis (Answer should be between 50-120 words)

 Quantitative threat analysis (Answer should be between 50-120 words)

 Qualitative threat analysis is a methodology used in the ICT industry to evaluate

threats based on subjective judgments and expert opinions. It involves assessing the

likelihood and impact of various threats on an organization's information and

technology assets. Qualitative analysis relies on qualitative data such as historical

data, industry trends, and expert knowledge to identify and prioritize threats. This

methodology uses techniques like risk matrices or risk categorization to classify

threats into different levels of severity or likelihood. The output of qualitative threat

analysis provides a qualitative understanding of the risks and helps organizations

make informed decisions regarding risk mitigation strategies and resource allocation.

 Quantitative threat analysis, on the other hand, is a methodology that uses

quantitative data and mathematical models to assess and quantify the potential

impact of threats on an organization's ICT systems. It involves assigning numerical

values to various factors such as asset value, threat probability, and vulnerability to

calculate risk levels. Quantitative analysis utilizes techniques like statistical analysis,

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 20 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

modeling, and simulations to quantify risks and estimate potential losses. This

methodology provides a more objective and numeric perspective on risks, allowing

organizations to prioritize their mitigation efforts based on quantitative metrics. It

helps in making data-driven decisions and allocating resources effectively to reduce

the overall risk exposure in the ICT environment.

Question 3. Briefly explain the following backup methodologies, which are widely used
across the ICT industry:

 Full backup

 Incremental

 Differential

Each answer should be between 50-120 words.

 Full Backup: Full backup is a backup methodology where all data and files are

copied from the source to a backup storage medium. It creates a complete replica of

the entire data set, including files, folders, and system settings. Full backups are

typically performed initially or periodically, capturing all data and providing a baseline

for future backups. Subsequent backups only capture changes made since the last

full backup. Full backups offer comprehensive data protection, enabling complete

restoration in case of data loss. However, they consume more storage space and

require longer backup windows due to the volume of data being transferred.

 Incremental Backup: Incremental backup focuses on backing up only the data that

has changed since the last backup, whether it was a full backup or an incremental

backup. It captures and stores the changes made to files and data, significantly

reducing backup time and storage requirements. During restoration, incremental

backups require the original full backup and subsequent incremental backups in

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 21 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

chronological order to rebuild the entire dataset. While incremental backups are

efficient and require less storage space compared to full backups, the restoration

process can be more time-consuming as multiple backup sets need to be accessed.

 Differential Backup: Differential backup also captures changes made to data since

the last full backup, but unlike incremental backups, it does not consider previous

differential backups. Each differential backup contains all changes made since the

last full backup, making it easier to restore data during the recovery process. To

restore data, only the last full backup and the most recent differential backup are

needed. Differential backups strike a balance between storage efficiency and

restoration time compared to full and incremental backups. They require less storage

space than full backups and involve fewer backup sets during restoration, making it a

faster process. However, as the number of differential backups increases, backup

sizes and restoration time also grow.

Question 4: Answer the following:

A.) What are the components of the planning process in business?

B.) Briefly explain the use of the following planning process components for developing
business solutions:

 Market research and strategies

 Financial documents

Each answer should be between 50-120 words.

A.) The components of the planning process in business typically include:

 Goal Setting: Defining the objectives and targets that the business aims to achieve

within a specific timeframe.

 Situation Analysis: Assessing the internal and external factors that may influence the

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 22 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

business's performance and identifying strengths, weaknesses, opportunities, and

threats (SWOT analysis).

 Strategy Development: Formulating a plan to achieve the defined goals, including

identifying target markets, competitive positioning, and value proposition.

 Resource Allocation: Determining the allocation of resources such as finances,

personnel, and technology to support the execution of the strategies.

 Implementation and Execution: Taking action to execute the planned strategies,

monitoring progress, and making necessary adjustments along the way.

 Evaluation and Control: Continuously evaluating the outcomes and performance of

the implemented strategies and making corrective measures if needed.

B.)

Market research and strategies play a crucial role in developing business solutions.

Market research involves gathering and analyzing data about target markets, customers,

competitors, and industry trends. This information helps businesses understand customer

needs, preferences, and market dynamics. It guides the development of effective marketing

strategies, product/service positioning, pricing, and distribution channels. Market research

provides insights to make informed business decisions, identify growth opportunities, and

mitigate risks.

Financial documents, such as income statements, balance sheets, and cash flow

statements, are essential planning components for developing business solutions. They

provide a comprehensive overview of the financial health of the business and help in

analyzing profitability, liquidity, and financial stability. Financial documents aid in budgeting,

forecasting, and determining the financial feasibility of proposed solutions. They also

support investment decisions, loan applications, and attracting investors. By examining

financial documents, businesses can assess their financial performance, identify areas for

improvement, and make strategic decisions to optimize resources and achieve financial

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 23 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

goals.

Question 5: How an organisation should function in the case of occurrence of an incident?

When an incident occurs, an organization should follow a well-defined incident response

plan to effectively manage the situation. Here are the general steps an organization should

take:

 Activate the Incident Response Team: The organization should have a dedicated

team responsible for handling incidents. This team should be immediately alerted

and activated to initiate the response process.

 Assess the Incident: The incident response team should quickly assess the nature,

scope, and impact of the incident. This involves gathering information, analyzing the

situation, and determining the severity and potential risks associated with the

incident.

 Contain the Incident: The team should take immediate action to contain the incident

and prevent it from spreading further. This may involve isolating affected systems,

shutting down compromised services, or disconnecting from the network if

necessary.

 Mitigate and Remediate: Once the incident is contained, the team should work on

mitigating the immediate risks and remediating the underlying cause of the incident.

This could involve applying patches, restoring backups, removing malware, or

implementing temporary workarounds to restore normal operations.

 Communicate and Notify: It is crucial to have effective communication channels

established to keep stakeholders informed about the incident. This includes notifying

internal personnel, management, customers, partners, and relevant authorities as

required. Transparent and timely communication helps manage expectations and

maintain trust.

 Investigate and Learn: After the incident is under control, a thorough investigation

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 24 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

should be conducted to understand the root cause, identify vulnerabilities, and

improve security measures. Lessons learned from the incident should be

documented and incorporated into future incident response plans and security

protocols.

 Resume Normal Operations: Once the incident is fully resolved and systems are

deemed secure, the organization should gradually resume normal operations. This

includes verifying the integrity of systems, conducting post-incident testing, and

ensuring that all necessary safeguards are in place to prevent future incidents.

Question 6: What is meant by an incident response plan? Answer should be between 40-80
words.

An incident response plan is a documented set of procedures and guidelines that an

organization follows when responding to and managing security incidents. It outlines the

roles and responsibilities of the incident response team, the steps to be taken during an

incident, communication protocols, and the tools and resources needed to mitigate and

recover from incidents. The plan serves as a roadmap to effectively detect, respond to, and

minimize the impact of security incidents on the organization's systems, data, and

operations.

Question 7: List any three ways to obtain feedback.

i. Surveys: Conducting surveys allows organizations to gather feedback from a large

number of individuals. Surveys can be conducted online, through email, or in person,

and they can include various types of questions, such as multiple-choice, open-

ended, or rating scales. Surveys provide structured feedback and quantitative data

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 25 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

that can be analyzed to gain insights and identify trends.

ii. Interviews: Conducting one-on-one or group interviews allows for more in-depth and

qualitative feedback. Interviews provide the opportunity to ask follow-up questions,

delve into specific areas of interest, and gather rich insights and perspectives.

Interviews can be conducted in person, over the phone, or through video

conferencing.

iii. Feedback Forms or Comment Boxes: Providing physical or digital feedback forms or

comment boxes allows individuals to provide feedback anonymously or with their

contact information. This method encourages honest feedback and allows individuals

to share their thoughts, suggestions, and concerns in a convenient and accessible

manner. Organizations can place feedback forms or comment boxes in physical

locations or provide them on their websites or digital platforms.

Question 8. Briefly explain the purpose of incident management policy. Answer should be
between 40-80 words.

The purpose of an incident management policy is to establish a framework and guidelines

for effectively managing and responding to incidents within an organization. It outlines the

roles, responsibilities, and procedures for detecting, reporting, assessing, resolving, and

learning from incidents. The policy aims to minimize the impact of incidents on operations,

protect assets and data, ensure timely response and communication, and facilitate the

recovery process. It provides a clear and consistent approach to incident management,

promotes accountability, and helps maintain the security and stability of the organization's

systems and resources.

Question 9: List the steps that need to be followed while collecting forensic evidence in the
ICT industry.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 26 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

 Identification and Documentation: Identify the digital devices or systems that may

contain potential evidence. Document the relevant information, such as device type,

model, serial number, location, and the context of the investigation.

 Secure the Scene: Take necessary precautions to preserve the integrity of the

evidence. Secure the physical location, ensure authorized access only, and prevent

tampering or contamination of the digital devices or systems.

 Establish a Chain of Custody: Create and maintain a detailed record of all individuals

who have had custody or control over the evidence. This includes the date, time, and

purpose of each transfer. Properly label and seal evidence containers to prevent

tampering.

 Forensic Imaging: Create a forensically sound image or copy of the digital storage

media or system. Use specialized software or hardware write-blockers to ensure the

integrity and authenticity of the collected evidence. Document the process and verify

the integrity of the image.

 Analysis and Examination: Analyze the forensic image or copy of the evidence using

appropriate forensic tools and techniques. This may involve searching for files,

recovering deleted data, examining system logs, or analyzing network traffic.

Document and preserve any relevant findings.

 Data Recovery and Preservation: If data recovery is required, carefully extract the

relevant data from the evidence without altering or damaging the original content.

Take steps to ensure the integrity and preservation of the recovered data.

 Documentation and Reporting: Document the entire forensic process, including the

steps taken, tools used, and findings obtained. Prepare a detailed report that

summarizes the analysis, conclusions, and any recommendations. The report should

be clear, concise, and objective.

 Legal Considerations: Ensure compliance with applicable laws, regulations, and

legal procedures. Adhere to proper chain of custody practices, maintain

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 27 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

confidentiality, and follow any required protocols for reporting or presenting the

evidence in a legal setting.

Reference:

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 28 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

ASSESSMENT 2 –PRACTICAL ACTIVITY

Scenario:

Future IT is an IT company which provide different IT services such as application

development, technical issues resolution, software support, Internet services, database
services and others. It is operating all across Australia with the branches in major cities such
as Melbourne, Sydney, Perth and Brisbane.

It has around 133,240 clients and has is providing services to them from the last five years.
The company has been consistent with providing services and is giving tough competition in
the industry.

Future IT has a large database of employees and customer, which contain sensitive
information. If the sensitive information is breached, it will impact not only customers but will
also impact the organisation reputation in the market.

Future IT have an orthodox incident response plan strategy which was developed five years
ago and has not been updated since then. The incident response doesn’t cover most of the
key points which need to be covered in case of an incident.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 29 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

The incident response plan of Future IT is given below:

You recently joined Future IT as the Incident Response Coordinator and you noticed that
the incident response plan needs to be updated as it is missing essential information.

You are aware that an incident response plan is important because it provides security to the
organization and helps in setting test measures which will help reduce breach of policies and
internal threats.

Future IT needs to update the incident response plan for the following reason:

 Improve security
 Prevent breach of any legislation or a policy
 Organize tasks so that it doesn’t impact the organization if any incident occur

Future IT has implemented the following security laws and regulations which help prepare
incident response plan:

 Privacy act 1998

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 30 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

 Security industry act 2003

 Security provider regulation 2008
 Private security regulations 2016

You need to research over the internet about these laws and policies to get in-depth
information on its working and importance.

Future IT has an incident response team, and the team have the following responsibilities:

 Investigate incidents
 Analyze incidents
 Create and maintain an incident response plan
 Manage communication after the incident

Future IT is also aware that they have the following threats due to which they need to update
the incident response team:

 Data loss
 Cyberattack
 Cultural conflict
 Shortage of employees

The effectiveness of the incident response plan can be checked with the help of the risk
register and risk assessment tools.

You need to perform the following activities to develop the incident response plan for Future
IT.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 31 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Activity 1: Incident response plan requirements

You need to read and understand the given scenario prior to start this activity.

In this activity, you need to develop a report on the requirements of the organization from the
incident response plan.

The report needs to cover the following information:

 Requirements from the incident response plan

 Services provided by the incident response team
 Structure of the incident response plan
 Comparison with the existing incident response plan

Report on Incident Response Plan Requirements

1 REQUIREMENTS FROM THE INCIDENT RESPONSE PLAN

The incident response plan for Future IT needs to address the following requirements:

a. Comprehensive Coverage: The plan should cover all possible incidents that may occur,

including data breaches, cyberattacks, cultural conflicts, and employee shortages. It should

outline specific response actions for each type of incident.

b. Proactive Measures: The plan should include proactive measures to prevent incidents,

such as regular security audits, vulnerability assessments, and employee training programs.

c. Clear Roles and Responsibilities: It is essential to define clear roles and responsibilities

for each member of the incident response team. This includes the Incident Response

Coordinator, investigators, analysts, and communication managers.

d. Incident Reporting and Escalation: The plan should outline a clear process for reporting

incidents, including who to contact, what information to provide, and how incidents should be

escalated based on their severity.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 32 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

e. Timely Response and Resolution: The plan should emphasize the importance of timely

response and resolution to minimize the impact of incidents on the organization and its

clients. It should include defined response timeframes and escalation procedures.

f. Documentation and Reporting: The plan should specify the documentation requirements

for each incident, including incident reports, evidence preservation, and post-incident

analysis. It should also outline the reporting procedures to relevant stakeholders, such as

management, clients, and regulatory bodies.

g. Continuous Improvement: The plan should incorporate mechanisms for continuous

improvement, such as periodic plan reviews, lessons learned from past incidents, and

feedback from stakeholders. This ensures that the incident response plan remains up to date

and effective.

2 SERVICES PROVIDED BY THE INCIDENT RESPONSE TEAM

The incident response team at Future IT is responsible for the following services:

a. Incident Investigation: The team investigates incidents to determine the cause, scope,

and impact. They gather evidence, analyze logs, and conduct forensic examinations to

identify the attackers and their methods.

b. Incident Analysis: The team performs a detailed analysis of incidents to understand their

root causes and vulnerabilities exploited. This analysis helps in identifying weaknesses in

the organization's security infrastructure and processes.

c. Incident Response Plan Development and Maintenance: The team is responsible for

creating and maintaining the incident response plan. They update it regularly to reflect

changes in the organization's environment, threat landscape, and regulatory requirements.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 33 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

d. Communication Management: The team manages communication during and after

incidents. They ensure timely and accurate communication with stakeholders, including

internal teams, clients, regulatory authorities, and the public, if necessary.

3 STRUCTURE OF THE INCIDENT RESPONSE PLAN

The incident response plan for Future IT should have a structured framework to ensure

clarity and effectiveness. It can follow the following structure:

a. Introduction: An overview of the purpose, scope, and objectives of the incident response

plan.

b. Roles and Responsibilities: Clear definition of roles and responsibilities for each

member of the incident response team and other stakeholders involved in the response

process.

c. Incident Response Procedures: Detailed step-by-step procedures for responding to

different types of incidents, including initial response, containment, eradication, recovery,

and lessons learned.

d. Communication Plan: A comprehensive plan for communication during and after

incidents, including internal and external stakeholders, media, and regulatory bodies.

e. Incident Reporting and Documentation: Guidelines for incident reporting, evidence

preservation, documentation of actions taken, and post-incident analysis.

f. Training and Awareness: Strategies for training employees on incident response

procedures and creating awareness about security best practices to prevent incidents.

g. Testing and Exercises: Regular testing and simulation exercises to validate the

effectiveness of the incident response plan and improve response capabilities.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 34 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

4 COMPARISON WITH THE EXISTING INCIDENT RESPONSE

PLAN

The existing incident response plan at Future IT is outdated and lacks essential information.

A comparison between the current plan and the required plan highlights the following gaps:

a. Incomprehensive Coverage: The existing plan does not address all possible incidents,

leaving gaps in response procedures for specific threats such as cultural conflicts and

employee shortages.

b. Lack of Proactive Measures: The current plan does not include proactive measures to

prevent incidents, such as security audits, vulnerability assessments, and employee training

programs.

c. Ambiguous Roles and Responsibilities: The roles and responsibilities of team

members and stakeholders are not clearly defined in the existing plan, leading to confusion

and delays in incident response.

d. Inadequate Incident Reporting and Escalation: The current plan lacks a clear process

for incident reporting, including whom to contact, what information to provide, and how

incidents should be escalated based on severity.

e. Absence of Timely Response and Resolution Guidelines: The existing plan does not

emphasize the importance of timely response and resolution, which may result in prolonged

incidents and increased damage to the organization.

f. Limited Documentation and Reporting: The current plan lacks specific guidelines on

incident documentation, evidence preservation, and reporting procedures to relevant

stakeholders.

g. Lack of Continuous Improvement Mechanisms: The existing plan does not incorporate

mechanisms for continuous improvement, such as plan reviews, lessons learned, and

feedback from stakeholders.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 35 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

In conclusion, the existing incident response plan falls short in meeting the requirements

necessary for effective incident response. It lacks comprehensive coverage, proactive

measures, clear roles and responsibilities, incident reporting and escalation procedures,

timely response and resolution guidelines, documentation and reporting guidelines, and

mechanisms for continuous improvement. These deficiencies highlight the need to update

and enhance the incident response plan to ensure the organization's security and resilience.

Activity 2: Discuss the incident response plan discussed

This activity is in continuation with the previous activity.

In this activity, you need to discuss the requirements gathered about the incident response
plan in the previous activity.

You will act as an incident response coordinator who will provide the information about what
needs to be included in the incident response plan and what services will be provided in
case of an incident.

Your classmate will act as a manager who will ask questions about the requirements of the
incident plan and will provide feedback on what needs to be updated in the plan.

In the meeting, you need to discuss the following:

 Discuss incident plan requirements

 Highlight services which will be provided in case of an incident
 Discuss the structure of the incident response plan
 Compare new requirements with the existing incident response plan
 Obtain feedback from the manager

You need to complete the meeting in 10-20 minutes. Your trainer will observe your
performance and complete the following performance checklist. You also need to complete a
meeting minutes and write the information related to the meeting discussion.

Meeting Objective: Discuss the incident response plan requirements and gather
feedback from the manager

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 36 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Attendees:

Incident Response Coordinator

Manager

Venue:

Future IT Office

Date: 02/05/2023

No. Points Discussed Actions Suggested Target Date

1 Discussed the To address all types of 04/05/2023

requirements gathered in incidents, including data
the previous activity, loss, cyberattacks,
including comprehensive cultural conflicts, and
coverage, proactive employee shortages.
measures, clear roles
and responsibilities,
incident reporting and
escalation, timely
response and resolution,
documentation and
reporting, and
mechanisms for
continuous improvement.
2 Compared the new Need for updates in terms 06/05/2023
requirements with the of coverage, proactive
existing incident measures, roles and
response plan and responsibilities, incident
identified gaps and reporting and escalation,
deficiencies. timely response and
resolution, documentation
and reporting, and
continuous improvement.
3 Discussed the manager's Incorporate the feedback 08/05/2023
suggestions for and suggestions provided
improvements, including by the manager into the
providing more specific incident response plan.
guidelines for incident
response procedures
and incorporating legal
and regulatory
requirements into the
plan.

Activity 3: Developing an incident response plan

This activity is continuing from the previous activity.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 37 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

In this activity, you need to develop an incident response plan for Future IT after completing
the previous activity.

The incident response plan needs to include the following information:

 Incident management policy

 Incident response plan
 Incident handling procedure
 Incident reporting procedure
 Incident response exercise
 Red-teaming activities
 Training requirements
 Procedures to collect forensic evidence

You need to document all this information in a word file and save it as ‘Incident response
plan’. After developing the incident response plan, you need to submit the word document to
the trainer for assessment.

Activity 4: Implement an incident response plan

This activity is in continuation with the previous activity.

ADDITIONAL SCENARIO

After the development of the incident response plan, there has been a security incident
occurred in Future IT due to which two systems are not operating, and data from them are
lost.

In this activity, you need to implement the incident response plan developed in the previous
activity to investigate the issue of the problem and come up with the results so that it comes
helpful for the organization to deal with the incident.

You need to perform the following tasks in the activity:

 Apply the incident response plan developed in the previous activity

 Apply actions to deal with security issues
 Collect evidence and analyses evidence
 Implement response exercises
 Implement red teaming activities

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 38 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

 Provide training
 Highlight the security incidents and what response actions were taken

You need to perform this activity in a simulated environment and perform the listed tasks.
Your trainer will observe you while you are performing the activity, and the trainer will
complete the observation checklist at the end of the activity.

Activity 5: Submission of incident response plan results

This activity is continuing from the previous activity.

In this activity, you need to write an email to your trainer about the results of the incident
response plan. You need to provide information about the sources from which the
information was collected. In the email, you also need to provide information about the
analysis of the incident response plan and write about the measures taken to manage
incident response plan.

You also need to attach the relevant document in the email so that manager can refer to that
and get the exact information about the progress and effectiveness of incident response
plan.

Activity 6: Incident response plan evaluation

This activity is in continuation with the previous activity.

In this activity, you need to develop a report which will provide information about the effective
incident response plan was and what needs to be changed in the incident response plan.

The report needs to cover the following:

 Efficiency of the incident response plan

 Effectiveness of the incident response plan
 Effectiveness of red teaming
 Effectiveness of incident response tests and training
 Communication between incident response team and internal organization
 Improvement strategies

Activity 7: Sign-off approval

This activity is in continuation with the previous activity.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 39 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

In this activity, you need to conduct a meeting with your manager to submit the
documentation related to the incident response plan and obtain approval from the manager.

You will act as an incident response coordinator who will provide the relevant documents
gathered from the previous activity and will ask for feedback and sign off for the project.

Your classmates will act as a manager who will review the documents submitted and will
provide sign off if the incident response plan is meeting the requirements.

In the meeting, you need to cover the following:

 Discuss documents gathered from previous activities

 Highlight improvement strategies
 Discuss the effectiveness of incident response plan
 Ask for sign off

You need to complete the meeting in 7-15 minutes. Your trainer will observe your
performance and complete the following performance checklist. You also need to complete
the meeting minutes and write the information related to the meeting discussion.

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 40 of 41
 Assessment: ICTSAS524 Develop, implement and evaluate an incident response plan

Reference:

Issue Date: December 2022 Version: 1.0 Review Date: December 2023 Authorised by: Compliance Manager
Doc: ICTSAS524 Student Assessment Page 41 of 41