Incident Response is pretty much the same, however the first few hours can be vital and only high priority actions can save the situation. Since this is a Security Breach, it is of highest priority and must be treated at highest escalation level.


Checklist To Respond To A Security Breach (first 24 hours)

1. Contain/Isolate Data Loss

Containment is a fundamental step to Incident Response to limit the loss to a minimum by barring the Attacks. Do whatever it takes like isolate the system, bring it down (if necessary), check the status of other critical systems. Isolate the affected assets and try to resume operations asap.

2. Quickly assess the business impact

Assess the impact immediately. This is critical while reporting to the stake holder as well as create an appropriate strategy for response.

3. Notify the Incident Response Team & Forensic Team

Since it is of highest escalation level, the Incident Response Team must be immediately notified. Following steps will be taken with their advice.

( Read more:
Security Metrics and Dashboard for the CEO / Board )

4. Notify legal advisory team & communication team

Advisory Team includes the Legal, Auditing Teams who can advise on how to recover best and the legal complications. All actions taken, including that of forensic team must be consulted with the Advisory Team.

Communication Team will communicate with the external world-employees,media,customers etc. about the Security Breach only if deemed necessary. Alerting employees can help reduce chaos and uninformed customer interactions.

5. Guard the Incident site for forensic proof protection

Documenting the scenario as it is found is absolute necessary. Systems must run as during the incident discovery, no change of state should take place. Also, outsiders including other employees must be prevented from entering the area. Only authorized persons (Forensic Experts/Incident Response Team) must be allowed. First few minutes can be critical to preserve data to track attacks eg. Volatile data.

6. Document and Interview People, Log Review

Document all details of Response Efforts and Breach Discovery. Also, retrieve data as much as possible from the resources available by interviewing the people concerned. Often Network admins and engineers might have a few anomalies to point out.

Logs are the second resource. Detailed review to check for all anomalies like unauthorized access can be a great indicator of scope of damage, assets involved etc.

7. Notify Customers if necessary

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the customers must be informed in allocated time. This should be only after consulting Directors, Legal Advisers etc.

8. Notify the CEO if it is a critical breach

In case the data loss is customer data and sensitive in nature eg. Personally Identifiable Information, the CEO should be informed. Make sure to also put together a quick note on how the organization is planning to respond to the breach including the current impact and future impact on business. 

( Read more:
Security Technology Implementation Report- Annual CISO Survey )

Post 24 Hours: Ask yourself..

  • Has complete recovery happened?
  • Why did the breach happen?
  • What are the preventive measures for future?
  • Are all the customers safe now?
  • What are the current drawbacks in your Incident Response?

More:  Join the community of 3000+ Chief Information Security Officers.  Click here

Download A Detailed Incident Management Plan :

This is a community contribution. You can download the detailed Incident Management Plan ? You can download it here


E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)