SGC Job Analysis Questionnaire Part 3s - Incident Response
For the role of Incident Response in the Smartgrid Cybersecurity environment, please indicate how frequently each task below would be performed by a person at the listed level of expertise, and how important is it that this task be completed by a person with the listed level of expertise.
*
Configure log management systems and other log repositories to maintain logs for documented period of time per policy and then older files. (Task ID: R2-9837)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Implement controls to prevent unauthorized access tools and data. (Task ID: R2-9794)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Verify all reported events and incidents were handled in compliance with the reporting requirements (Task ID: R2-9850)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Establish metrics for vendors to assess compliance with the contract with respect to notifications (Task ID: R2-9812)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Understand data classification strategies in place. (Task ID: R2-9575)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Develop relationships with vendor partners who specialize in this testing. (Task ID: R2-9761)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Identify observables that flow from particular attacker Tactics, Techniques, and Procedures (TTPs) to optimize your security monitoring capabilities (Task ID: R2-9811)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Test all identified mitigations or patches to make sure they remove or mitigate the vulnerability as expected with no negative impacts (Task ID: R2-9629)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Develop threat awareness content that can be included in security awareness and outreach efforts (Task ID: R2-9614)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Analyze vendor KBs and DOE and DHS generated testing reports of known vulnerabilities to specific smart grid components (Task ID: R2-9489)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Review ICS-Cert, NERC and other source reports of attacks and develop understanding of how the threats actually work against specific vulnerabilities (Task ID: R2-9346)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Develop an attack technique table. (Task ID: R2-9616)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)
*
Train Incident Response Team on the usage of the attack technique table. (Task ID: R2-9617)
Frequency
Importance
Never
Rarely
Sometimes
Often
Always
Unimportant
Low
Moderately
Very
Extremely
Novice (Apprentice)
Intermediate (Journeyman)
Expert (Master)