An information security incident

A total data recovery failure

A backup server breach

A power failure in the server room

It must be reported to the appropriate person (probably the CSIRT team leader)

Whoever discovers the incident must perform an initial assessment of the event

Switch off the servers so that no more breaches can take place

Ignore it and hope it goes away

Whether an actual incident has taken place at all

How to minimise the risk

Who is going to be responsible for performing the incident response

Whether or not it is an internal security breach

Type of attack

Severity of attack

How much it will cost to resolve the incident

Whether or not to inform the police

Protecting people’s safety

Protecting sensitive data

Minimising disruption to computing resources

Ensuring that no-one knows that an incident has taken place

The nature of the attack

The origin of the attack

The intent of the attack

What systems & files were compromised

How much it will cost to resolve the incident

To be used as evidence

For data recovery

In case the evidence has been tampered with

Checks on data inconsistency