Discussion Replies 1, 2 and 3

Can you help me understand this Computer Science question?

I Need to write 3 seperate replies for each Discussion posts. and choose one question(There are 3 questions in each discussion) from each discussion and answer it. Each reply should be 75-100 words(minimum 75 words)

Please follow instructions:

The discussions in this class exist to simulate face-to-face discussions. To reach that goal, we will adhere to the 3CQ model. After posting each thread, you will post at least 3 comments on other students’ threads, and each comment must conform to the 3CQ model (Compliment, Comment, Connect, Question). This model encourages discussions that extend class learning and participation.

Here is a description of the 3CQ model:

1. Compliment – Start off positive. Compliment the person on something specific you have read or observed in the person’s blog post. For example:

  • Thanks for sharing your thoughts! I really liked …

2. Comment – Comment on something relevant and meaningful about what the person wrote. Be specific! Remember your comment might not always be agreement. You can “politely” disagree. For example:

  • I agree with you about …
  • I respect your opinion, but I think …

3. Connect – Connect with something the person wrote (Text-to-Self, Text-to-Text, Text-to-World). Explain your connection with details giving your audience a clear idea of what you’re talking about by using sensory details. For example:

  • I can connect with you about …
  • I once read a story about …
  • I had the same thing happen to me…

4. Question – Ask a specific question about something written or the writer. Keep the conversation going!

Remember that ALL discussions must use the 3CQ approach to interaction.

Discussion 1:

The first step in the incident handling process is Preparation, which I believe is an important step to showcase how an organization manages its incidents in critical situations. This step ensures that the organization already has an incident template that can be shared with the customer, which talks briefly about the event, impact, and next steps. For example, a lot of organizations uses Status Pages to notify their customer regarding any incident. These pages consist of an incident summary, impacted components, impacted customers, and the next steps. This allows the customer to realize the impact on their business. It also gives them the confidence that the organization is aware of the incident and proactively works on the incident, which enhances the organization’s credibility.

The second step in the incident handling process is Identification. This step tells the customer about the stability of the product and the average incident recovery time. For example, if any service or product takes time to recover after an incident, that means the product is not stable, making it difficult to gain more customer base. This hampers the reputation and profits of any organization.

The last step, which I feel important, is the Lesson Learned because this helps the organization learn from its mistakes and resolve them more quickly in the future. For example, suppose an organization carries out an extensive root cause analysis for an incident. In that case, the organization can come up with a solution to fix the event in future releases and completely eradicate the problem.


1) What qualities do we generally look when building CSIRT?

2) Is there any different model which an organization uses to handle incident response?

3) What are the best ways other than Status Page an organization can use to send communications to the customers?

Discussion 2:

Of the six steps in the incident response process, I will look at three, preparation, identification, and lessons learned (Solomon, 2019).


The situation, a breast imaging company has a server at each screening facility to cache images as the bandwidth is inadequate between the remote site and the data center for real-time transfers. Some believe that the RAID on the server provides enough redundancy; however, the status of the server is not monitored. When vRealize Operations Manager is implemented, it is discovered that there is a disk error on one of the servers. There were no spare drives; an additional drive failure would cause a catastrophic failure. With the server down, the location only has limited ability to store images on the modality, and the radiologists are unable to read studies. The availability of the data is compromised during an outage.

Better communication could have led to a better-architected system. Ineffective communications of the risks may have been a factor in the choice to implement critical aspects of the system with single points of failure. Detective controls would allow for drive replacement to occur as needed and not go undetected until a failure.

The inability for radiologists to diagnose leads to delayed identification of possible cancers, and therefore delayed treatment. The call center needs to have a procedure in place of how to handle and prioritize called to impacted patients. Without preparedness, an inconsistent response will be given. An emergency outage likely will cost more than a routine, planned upgrade, or change.

An imaging center that is unable to perform imaging cannot generate revenue. That loss of revenue could result in lost investors. Identification. The delayed diagnosis could erode customer confidence in the company. Within the organization, an IT failure may weaken trust and confidence in the IT staff’s ability to maintain IT services. If attacks or other issues are undetected, the impact will grow.

The identification of an issue relies in part on the ability to detect changes, as well as what is considered a normal baseline. The decision of what and how much should be stored and analyzed has a cost associated. The storage required for logging directly impacts the ability to detect and respond to incidents. It is unrealistic to log all events, to include informational.

Lessons Learned

An organization’s ability to learn and grow from incidents help for the same thing to not occur again. Capturing what went right and what went wrong does no good if it is not communicated to those that need to learn from the incident. Learning from previous events increases safety by reducing the likelihood of the same thing occurring again, and hopefully, lessening other impacts. Reduced incidents lower costs to respond and remediate. Reduced events reduce situations where the company’s reputation could be impacted.


1. How could non-quantifiable measurements such as high, moderate, and low lead to personnel manipulating a severity or impact score?

2. How should management handle an employee who is responsible for a system is part of an incident? For example, if a database is compromised, should the DBA be liable?

3. How would you select a cloud-based incident process management tool?

Discussion 3:

Step 1: Preparation

Proper communication means that all stakeholders and CSIRT members are on the same page, which means responses to incidents will be coordinated and efficient. Good preparation requires communication between managerial staff and CSIRT members as to their roles (i.e. incident lead) and responsibilities (i.e. speak to the press) before, during, and after an incident. This would be best communicated during a meeting with managerial staff, CSIRT members, and any relevant stakeholders. If there is clear direction, roles, tasks, and methods provided in person and in writing to all members, response time will be increased. This increased response time will result in a safer and more secure infrastructure and less damage in regards to money and reputation.

Step 3: Containment

During the containment phase of an incident, one can assume that stress levels will be high. Proper communication is vital during this phase to limit damage because the incident (for example, malware) can spread at a rapid pace if unchecked. If a technician determines multiple workstations have been compromised, they must immediately and effectively communicate with their network administrator to disconnect the infected workstations and all other connected workstations from the LAN. There must be a previously determined method of communication and point of contact (including correct hierarchy), such as by internal phone or instant message. A quickly quarantined incident can reduce or limit the damage malware causes to a network and potentially save a company from money loss and a tarnished reputation.

Step 6: Lessons Learned

After an incident has occurred, it is vital to gather all involved individuals to debrief. Proper communication–honest communication–is very important in this step. Individuals should be able to admit mistakes in response handling and receive critical feedback that will help them deal with a future incident. These lessons learned will prove important to reduce future damages to the infrastructure. For example, if a weak password was cracked and led to a breach, then the organization’s password policy should be changed to promote stricter security. This constant feedback loop will further strengthen the organization’s security and make it less likely to suffer greatly from future incidents.


  1. Imagine: You are the first person to discover that your organization suffered a breach (a disgruntled employee accessed sensitive files and shared them on Facebook), what would be your first step in handling this incident?
  2. It is important to test your incident response plan; however, that will likely cause network/daily task interruption. In your opinion, when is the best time to conduct such a test?
  3. Does your organization have a CSIRT? If not, how would you convince managerial staff to authorize one? If so, is there room for improvement?