IAI · Incident Response Training

🛡️

SECTION 1 OF 4

Security Incidents & Indicators

What is a CJIS security incident and how do you spot one?

✓ COMPLETE ▾

WHAT IS A SECURITY INCIDENT?

A security incident is any violation of the CJIS Security Policy that threatens the confidentiality, integrity, or availability of Criminal Justice Information (CJI). As IAI investigators with access to sensitive case data, you are on the front line of protecting this information.

⚠️ Important: Security incidents are not always obvious. In many cases you will only see indicators — warning signs that something may be wrong.

INCIDENT INDICATORS — KNOW WHAT TO LOOK FOR

New user accounts created without following standard procedures
Sudden high activity on an inactive or low-activity account
Unexpected data changes or removal of data
New files with unusual names appearing on your device
Unexplained poor system performance or system crashes
Denial of service — being locked out of a system you normally access
Suspicious browsing history on a work device

💡 IAI Context: This applies to the CMS, Business Suite, and any device used to access case files or attorney communications. If something looks wrong — report it to Dr. Walwyn immediately.

📋 SECTION 1 KNOWLEDGE CHECK

QUESTION 1

A security incident is defined as any violation that threatens which three properties of CJI?

A Speed, accuracy, and accessibility

B Confidentiality, integrity, and availability

C Privacy, security, and compliance

D Authentication, authorization, and auditing

✓ Correct! Confidentiality, integrity, and availability are the three core properties protected by CJIS policy.

✗ The correct answer is B — Confidentiality, integrity, and availability.

QUESTION 2

You notice the IAI CMS is running slowly and a case file you did not edit shows a new modification timestamp. What should you do?

A Treat it as a potential incident and report to Dr. Walwyn immediately

B Restart your computer and see if it fixes itself

C Ignore it — slow performance is normal

D Delete the modified file to prevent further damage

✓ Correct! Both symptoms are incident indicators. Always report — never ignore or attempt to fix it yourself.

✗ The correct answer is A. Both symptoms are incident indicators and must be reported immediately.

SECTION 1 SCORE

📋

SECTION 2 OF 4

Incident Response Policy & Training Requirements

Policy requirements, training obligations, and your role

✓ COMPLETE ▾

SECURITY INCIDENT POLICY

Agencies must develop and maintain an incident response policy, reviewing it annually and after any security incident involving unauthorized access to CJI. All personnel with access to unencrypted CJI must be informed of this policy.

TRAINING REQUIREMENTS BY ROLE

Role	Training Required
Average User (Earl, Ty, A.D.)	Must know how to recognize an incident and who to contact
System Administrator (Dr. Walwyn)	Additional training on how to handle and manage incidents
Incident Responder (Dr. Walwyn / IAI lead)	Forensics, data collection, reporting, and system recovery

📌 Your obligation: Complete this training before accessing the CMS or any case data. Retrain annually.

📋 SECTION 2 KNOWLEDGE CHECK

QUESTION 3

How often must the incident response policy be reviewed at a minimum?

A Every 5 years

B Annually and after any security incident

C Only when there is an incident

D Every 6 months

✓ Correct! The policy must be reviewed annually AND after any security incident.

✗ The correct answer is B — annually and after any security incident.

QUESTION 4

As an IAI investigator (Average User), what is your primary training requirement?

A Know how to recognize an incident and who to contact

B Perform forensic analysis on affected systems

C Restore all affected systems to normal operation

D Rewrite the incident response policy

✓ Correct! Average Users must recognize incidents and report them — not handle them independently.

✗ The correct answer is A. Recognize incidents and report to Dr. Walwyn — do not attempt to handle them yourself.

SECTION 2 SCORE

🔄

SECTION 3 OF 4

The Four Phases of Incident Handling

The lifecycle of responding to a security incident

✓ COMPLETE ▾

INCIDENT RESPONSE LIFECYCLE

PHASE 1

⚙️ Preparation

Training the team and obtaining tools needed to respond to incidents.

PHASE 2

🔍 Detection & Analysis

Identify the attack method and assess impact on systems and personnel.

PHASE 3

🛡️ Containment & Recovery

Control the attack, remove threats, and restore systems to normal.

PHASE 4

📝 Post-Incident Review

Review what happened and apply lessons learned to improve future response.

🔁 Annual Testing Required: Incident response capability must be tested annually using tabletop exercises or simulations.

📋 SECTION 3 KNOWLEDGE CHECK

QUESTION 5

Which phase focuses on controlling attacks and minimizing damage?

A Preparation

B Detection and Analysis

C Containment, Eradication, & Recovery

D Post-Incident Activity

✓ Correct! Phase 3 controls the attack, removes threats, and restores normal operations.

✗ The correct answer is C — Containment, Eradication, and Recovery.

QUESTION 6

What is the purpose of Post-Incident Activity?

A Immediately shut down all affected systems

B Review what happened and improve future response procedures

C Notify the media about the breach

D Assign blame to responsible parties

✓ Correct! The goal is to learn from the incident and improve future response — not assign blame.

✗ The correct answer is B — learn from the incident and improve future response procedures.

SECTION 3 SCORE

📡

SECTION 4 OF 4

Reporting Security Events

Who to tell, when to tell them, and what to include

✓ COMPLETE ▾

REPORTING REQUIREMENTS

Report any incidents or unusual activity to your agency contact immediately. At IAI, that means contacting Dr. Walwyn without delay.

🚨 All personnel must report any suspected incident, regardless of how minor it seems. When in doubt — report it.

WHAT TO INCLUDE IN YOUR REPORT

📅 Date of Incident

📍 Location of Incident

💻 Systems Affected

🔎 Method of Detection

📝 Description of Incident

⚡ Actions Taken / Resolution

📞 Your Contact Information

✅ IAI Reporting Chain: You → Dr. Walwyn (admin@iahotx.com) → CJIS Systems Officer → State Identification Bureau.

📋 SECTION 4 KNOWLEDGE CHECK

QUESTION 7

At IAI, if you suspect a security incident, who should you contact first?

A The attorney on the affected case

B Dr. Walwyn immediately

C The CJIS Systems Officer directly

D No one — try to fix it yourself first

✓ Correct! Dr. Walwyn is your first contact. He will escalate appropriately through the reporting chain.

✗ The correct answer is B. Always report to Dr. Walwyn first — never skip the chain of command.

QUESTION 8

Which best describes what to include in a Security Incident Report?

A Date and location only

B Systems affected and detection method only

C Description and actions taken only

D All fields — date, location, systems, detection, description, actions, and contact info

✓ Correct! A complete report includes all required fields — a partial report may delay proper response.

✗ The correct answer is D. A complete report includes ALL required fields.

QUESTION 9

You notice something unusual but you're not sure if it's a security incident. What should you do?

A Report it anyway — all personnel must report suspected incidents regardless of severity

B Wait and see if it gets worse before reporting

C Only report if you are 100% certain it is an incident

D Ask a coworker if they noticed anything first

✓ Correct! Always report suspected incidents. It is better to report and be wrong than to stay silent.

✗ The correct answer is A. Report any suspected incident immediately — do not wait or second-guess yourself.

SECTION 4 SCORE

✅ TRAINING COMPLETE