This paper presents a comprehensive malware incident response plan organized into three stages: setup, response, and recovery. The setup stage addresses employee training at all levels, layered access controls, antivirus software management, and incident reporting procedures. The response stage outlines a tiered approach to breaches ranging from isolated workstation infections to company-wide compromises of sensitive data. The recovery stage details steps for restoring systems after an attack. An analytical section grounds each plan element in peer-reviewed cybersecurity research, drawing on studies of business security awareness, federal government incident response frameworks, and legislative responses to national-level cyber threats.
The paper effectively uses a policy-then-justification structure: it first presents the operational plan in full, then provides a separate analytical section that traces each component back to specific scholarly sources. This two-part approach separates prescription from evidence, making both the practical recommendations and the academic grounding easier to evaluate independently.
The paper opens with a brief policy overview, followed by three operational sections (Setup, Response, Recovery) that build sequentially from prevention to containment to remediation. A standalone Analysis section then maps each plan component to supporting literature, concluding with a bulleted framework drawn from a practitioner-oriented journal article. References appear in APA format at the end.
This plan is designed to mitigate the effects of malware used during a cyber-attack on a company's security system. The plan uses three stages: setup, response, and recovery. It is based on evidence from research conducted to protect the highest levels of secure documents.
The first priority of the plan is to educate all levels of the company regarding the dangers that arise from breaching security protocols at individual workstations. While it may seem necessary to conduct in-depth training only with new employees, research has shown that executives are often the most lax when it comes to cybersecurity. Therefore, a training schedule that updates users on new information and reminds them of their daily responsibilities for protecting the overall system is essential. This training will recur on a semiannual basis to keep it fresh in the minds of all personnel concerned.
The training that every employee receives will not be at the same level as that received by information technology personnel tasked with detection and response. These individuals need to be trained daily on the threats that could affect the particular systems the company uses. This means there will be a dedicated threat assessment team — consisting of at least two people — responsible for monitoring outbreaks that have occurred in other networks. These incidents will be assessed to determine whether they could possibly endanger the operations of this company. The importance of this cannot be overstated. Constant threats occur against all manner of server systems, and it is necessary to determine whether any given threat, no matter how small the apparent risk, could occur within this company's systems. This team will report to the rest of the IT department on a daily basis to ensure that all personnel are aware of current threats facing the industry. A "Threat Sheet" will be generated and distributed to these personnel daily as a constant reminder of current issues. All company personnel will also receive a daily email describing the threats they need to be aware of.
Training is a priority for any organization, but it is also necessary to build layers of security starting with the people using individual workstations. A person's position within the company determines the level of information to which that individual should have access. A line employee, depending on the type of employment, will have access only to information that is crucial to their job description. It is unnecessary to grant that individual access to information unrelated to their role unless they are promoted to another position or assigned a project that requires it. All supervisory personnel will have a higher level of access in recognition of their responsibility for a group of employees. This tiered approach continues throughout the entire organization up to the highest level. Information systems technicians and staff will also likely hold the highest level of security clearance within the company, since they may be required to service any station. The policy may include a provision that when an IT professional is working on a system above the supervisory level, access must be verified by a supervisor or another officer.
One of the duties of the IT office will be to protect all company computers with the latest security software. Threats occur constantly across the globe, so attention must be paid to software updates, and the IT office must remain aware that some software designs are not updated frequently enough or may no longer be compatible with the company's hardware. Therefore, updates will be applied as soon as they become available — sometimes daily — and the software should be routinely checked at least once per week. Technicians will also continuously seek to upgrade the software as more appropriate programs become available. Since multiple detection systems exist, this plan requires multilayered antivirus protection that both seeks out threats and prevents intrusion using a variety of methods, including threat protection, identification of suspicious activity, and an advanced firewall installed on every computer.
The final issue to be addressed in the setup stage is ensuring that all employees know how to report a suspected problem with their system. Because there is a vast array of threats, it is not possible for the IT team to catch every incident even with constant monitoring. Employees are required to have any electronic medium brought in from outside the company — and capable of connecting to a company computer — inspected at the front desk. However, people sometimes become lax in their security and fail to report a website they have visited or a file they have used that has not been properly vetted. To address this, there will be a central call center accessible to employees at any time. Personnel will have the call center number attached to their PCs in a conspicuous place for immediate access. The system will also be capable of detecting when a specific employee's computer has been infected and identifying the type of infection, allowing a response to begin even if the employee has not noticed what has occurred.
A tiered response plan will be in place to address the different levels of attack. The first tier covers a low-level outbreak affecting only one computer or a small group of computers. The second tier addresses a company-wide breach that affects all computer systems but involves only low-security-level documents. The most critical tier involves a breach in which high-level sensitive material is at risk. The responses to each threat level are necessarily different.
Although the lowest level of response concerns only a single computer or a small group, it is necessary to take immediate action after detection to prevent the problem from spreading across the network. This level will typically be detected by the antivirus software, but it may also be reported by an employee. The appropriate action is to isolate the affected computer or small group until the problem is resolved and the threat eradicated. IT will run a systems diagnostic to identify the malware, and then run the same diagnostic on the remainder of the network to confirm that the infection has not spread elsewhere.
The second level of response involves a larger number of computers — generally a system-wide issue that does not involve access to the most sensitive material. This response will likely be triggered when employees alert system administrators to a problem, or when multiple network red flags appear simultaneously. The most important step at this level is to test the entire system to determine the extent of the problem and stop it immediately. A full system shutdown may be considered, but this is not typically warranted until a level-three issue is confirmed. For this intermediate level, the core problem will generally center on a few computers that need to be taken offline for network maintenance.
The final level of response is by far the most serious and directly affects the continued, immediate functioning of the company. It is generally triggered by the system detecting a vulnerability in critical infrastructure. This will require a shutdown of at least some critical areas to ensure that the entire system is not compromised. This type of attack is also the most serious because it involves the most sensitive material the company possesses.
You’re 54% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.