Overview

This guide is for the cybersecurity incident response team who is investigating an OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).   

Incident Commander Checklist

1. Review the Incident’s Severity and Scope:  IT Security, Legal and Operations teams must determine a cybersecurity incident’s potential or realized impact.  See Assess Risk and Assign Impact.
   1. OU IT Security Operations will assign an Incident Commander who will be the primary point of contact for the duration of the response and recovery effort.  The Incident Commander’s name and contact information will be provided to the IT reporter and other relevant parties, as needed.
   2. The Incident Commander conducts an initial assessment to determine the incident’s potential or realized impact according to the Impact Matrix. 
   3. The Incident Commander is responsible for increasing the span of control activating groups when necessary.  The Cybersecurity Incident Response Team’s activation will be based on the needs and scope of the incident. 
   4. For critical or high-impact Incidents, the Incident Commander, in conjunction with Legal, and operational teams must determine the incident’s potential or realized impact according to the Impact Matrix. 
2. Invoke Attorney-Client Privilege as Relevant:  Legal should determine whether and how to invoke attorney-client privilege for internal actions as well as third parties or vendors, if relevant.  Legal should provide guidance on document markings, preferred methods of communications, evidence retention and requirements to limit participants in the investigation.
3. Implement Out-of-Band Communications:  IT Security and Legal teams should identify communications channels to use if normal channels are down or teams suspect an attacker has compromised them. The solution should allow for notifications, conference bridges and document sharing separate from the organization’s network.  
4. Set Operational Priorities:  The CSIRT must communicate operational priorities based on the business impact of the incident.  This can include financial, legal, reputational, and other specific forms of impact.
6. Activate Third-Party Support:  The CSIRT should activate third-party support as necessary.This may include external counsel, eDiscovery firms, third-party incident response providers and ransom negotiators.
7. Communicate with Leadership:  The CISO/CIO may need to notify executive leaders of a cybersecurity incident and depending on the severity, provide additional information or seek guidance in certain decisions.
8. Oversee Regulatory and Contractual Compliance:  Legal, Compliance, and GRC teams should confirm that any actions taken during the incident satisfy regulatory or contractual requirements (e.g., notifications to impacted parties).
9. Determine Whether to File an Insurance Claim:  The CSIRT should consult relevant stakeholders to review insurance coverage, decide whether and when to file a claim, and facilitate notification of the insurer.The insurer may connect you with a breach coach or external counsel.
10. Determine Whether to Involve Law Enforcement:  The CSIRT should decide whether to proactively involve law enforcement and, when necessary or useful, respond to inquiries and notifications from law enforcement agencies.
11. Determine Whether to Preserve Evidence:  The CSIRT should decide whether to preserve evidence and if forensic analysis is required.
11. Revisit the Incident Severity and Scope:  As new information becomes available, the CSIRT shall reassess each of the preceding tasks.
12. Draft and Review Internal and External Communications:  The CSIRT should draft and review communications regarding the incident.  This includes communications for internal and external audiences (e.g., employees, partners, the public, media, customers, etc.).  See Communications Playbook.