First, many companies are currently in the same situation as International Produce, because they did not have a plan in place to handle issues related to confidentiality, integrity and availability (CIA) incidents. Not only does International Produce have no regulatory requirements that would make incident response planning a priority, but this company must also understand that incident response is not a stand-alone element, but must rest on a foundation of policies and the ability to determine correctly what an accident is and when it occurred. Furthermore, “The purpose of security incident response is to bring together the necessary resources in an organized manner to address an adverse event known as an “incident” related to the security and/or security of the information system. The security incident response process focuses on preparation, detection and analysis, containment, investigation, cleanup, recovery, and post-incident activities surrounding that incident” (Johnson, 2013). Furthermore, planning and preparation must occur before the incident, but in the case of International Produce it is too late as the increase in network traffic was not perceived as problematic until it was noticed that the traffic was not coming from Mongolia to Boston but was instead traveling from Boston to Mongolia. Given these points, an incident response consultant should help review the resources available to resolve this incident, organize the steps to be taken to properly assess the situation, and mitigate any legal settlements involving intellectual property theft. First, company practices called for a cyber incident response team (CIRT) to ensure that the capacity exists to provide support to users in the event of security... half of paper......ken offline and physical disks stored correctly, but time is also essential for collection procedures. Another factor in forensics is evidence preservation, CIRT should establish a chain of custody to document who had custody from discovery to presentation in court. Additional evidence such as firewall, IDS and sniffer logs are useful, and all systems should use Network Time Protocol or other forms of authoritative timestamps. Additionally, accountability is the foundation of incident response and forensic analysis, and logging is the way to ensure full accountability in the event of an incident. Furthermore, the main way to protect logs is through file system permissions, and the log writing process should only be able to write. So, administrators should only be able to read logs. Other approaches include WORM media such as CD-ROMs and printers.