SGC Job Analysis Questionnaire Part 3s - Incident Response



For the role of Incident Response in the Smartgrid Cybersecurity environment, please indicate how frequently each task below would be performed by a person at the listed level of expertise, and how important is it that this task be completed by a person with the listed level of expertise.
*Configure log management systems and other log repositories to maintain logs for documented period of time per policy and then older files. (Task ID: R2-9837)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Implement controls to prevent unauthorized access tools and data. (Task ID: R2-9794)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Verify all reported events and incidents were handled in compliance with the reporting requirements (Task ID: R2-9850)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Establish metrics for vendors to assess compliance with the contract with respect to notifications (Task ID: R2-9812)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Understand data classification strategies in place. (Task ID: R2-9575)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Develop relationships with vendor partners who specialize in this testing. (Task ID: R2-9761)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Identify observables that flow from particular attacker Tactics, Techniques, and Procedures (TTPs) to optimize your security monitoring capabilities (Task ID: R2-9811)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Test all identified mitigations or patches to make sure they remove or mitigate the vulnerability as expected with no negative impacts (Task ID: R2-9629)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Develop threat awareness content that can be included in security awareness and outreach efforts (Task ID: R2-9614)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Analyze vendor KBs and DOE and DHS generated testing reports of known vulnerabilities to specific smart grid components (Task ID: R2-9489)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Review ICS-Cert, NERC and other source reports of attacks and develop understanding of how the threats actually work against specific vulnerabilities (Task ID: R2-9346)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Develop an attack technique table. (Task ID: R2-9616)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)  
*Train Incident Response Team on the usage of the attack technique table. (Task ID: R2-9617)
  Frequency   Importance
  Never Rarely Sometimes Often Always   Unimportant Low Moderately Very Extremely
Novice (Apprentice)  
Intermediate (Journeyman)  
Expert (Master)