During an Incident Checklist

Tags incident

Overview

This guide is for the cybersecurity incident response team who is investigating an OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).   

Incident Commander Checklist

  1. Review the Incident’s Severity and Scope:  IT Security, Legal and Operations teams must determine a cybersecurity incident’s potential or realized impact.  See Assess Risk and Assign Impact.
    1. OU IT Security Operations will assign an Incident Commander who will be the primary point of contact for the duration of the response and recovery effort.  The Incident Commander’s name and contact information will be provided to the IT reporter and other relevant parties, as needed.
    2. The Incident Commander conducts an initial assessment to determine the incident’s potential or realized impact according to the Impact Matrix. 
    3. The Incident Commander is responsible for increasing the span of control activating groups when necessary.  The Cybersecurity Incident Response Team’s activation will be based on the needs and scope of the incident. 
    4. For critical or high-impact Incidents, the Incident Commander, in conjunction with Legal, and operational teams must determine the incident’s potential or realized impact according to the Impact Matrix. 
  2. Invoke Attorney-Client Privilege as Relevant:  Legal should determine whether and how to invoke attorney-client privilege for internal actions as well as third parties or vendors, if relevant.  Legal should provide guidance on document markings, preferred methods of communications, evidence retention and requirements to limit participants in the investigation.
  3. Implement Out-of-Band Communications:  IT Security and Legal teams should identify communications channels to use if normal channels are down or teams suspect an attacker has compromised them. The solution should allow for notifications, conference bridges and document sharing separate from the organization’s network.  
  4. Set Operational Priorities:  The CSIRT must communicate operational priorities based on the business impact of the incident.  This can include financial, legal, reputational, and other specific forms of impact.
  5. Activate Third-Party Support:  The CSIRT should activate third-party support as necessary.This may include external counsel, eDiscovery firms, third-party incident response providers and ransom negotiators.
  6. Communicate with Leadership:  The CISO/CIO may need to notify executive leaders of a cybersecurity incident and depending on the severity, provide additional information or seek guidance in certain decisions.
  7. Oversee Regulatory and Contractual Compliance:  Legal, Compliance, and GRC teams should confirm that any actions taken during the incident satisfy regulatory or contractual requirements (e.g., notifications to impacted parties).
  8. Determine Whether to File an Insurance Claim:  The CSIRT should consult relevant stakeholders to review insurance coverage, decide whether and when to file a claim, and facilitate notification of the insurer.The insurer may connect you with a breach coach or external counsel.
  9. Determine Whether to Involve Law Enforcement:  The CSIRT should decide whether to proactively involve law enforcement and, when necessary or useful, respond to inquiries and notifications from law enforcement agencies.
  10. Determine Whether to Preserve Evidence:  The CSIRT should decide whether to preserve evidence and if forensic analysis is required.
  11. Revisit the Incident Severity and Scope:  As new information becomes available, the CSIRT shall reassess each of the preceding tasks.
  12. Draft and Review Internal and External Communications:  The CSIRT should draft and review communications regarding the incident.  This includes communications for internal and external audiences (e.g., employees, partners, the public, media, customers, etc.).  See Communications Playbook.

 

Impact Matrix

Impact

Description

Low
  • Minor delay in access to system or data (less than 24 hours)
  • Impacts less than 500 patient records
  • Minor delay in processing payment cards
  • Physical Tampering, lost, or stolen POI device
  • Impacts less than 999 identifiable records
  • Impacts a single user or department.

Medium
  • Loss of access to system or data (more than 1 day)
  • Cancellation of class for one day
  • Impacts 1,000 - 4,999 identifiable records
  • Impacts multiple users or departments.

High
  • Loss of access to system or data (more than 3 days)
  • Cancellation of classes for more then 3 days
  • Impacts 5,000 - 9,999 identifiable records
  • Impacts multiple departments or entire campus.
  • May require recovery in an alternate site environment.

Critical
  • Loss of access to system or data (more than 5 days)
  • Cancellation of multiple classes for more than one day
  • Impacts more than 1 PCI record
  • Impacts more than 1 CUI or Export-Controlled record or system
  • Impacts greater than 500 patient records
  • Impacts greater than 10,000 identifiable records
  • Impacts more than one campus.
  • Will result in a cybersecurity insurance policy claim and/or notice to regulatory body.
Print Article

Related Articles (1)

Cybersecurity Incident Response Plan
This Cybersecurity Incident Response Plan establishes the procedures for identifying, reporting, and responding to a cybersecurity event. It establishes the basic language to discuss such events, identifies roles and responsibilities involved in responding to and recovering from these events, and provides a playbook for handling these events from the time an event is detected to the post incident report and event closing.