Incident response check list
The first steps after the cyber security incident was discovered.
First steps to identify cybersecurity incidents
- Insulate affected system
Immediately disconnect the affected system from the network to limit the spread of the incident. The system should not be excluded as it can destroy essential evidence. - Fixed initial information
Document the date and time of detection of the incident, the person who noticed the incident, as well as visible signs, error statements or other observed anomalies. - Save Evidence
Ensure preservation of digital evidence, e.g. create disk image, save log files, screen images and other incident related information. - Inform responsible persons
Inform the IT personnel responsible, the organisation's management and, if necessary, the data protection officer immediately. - Assess the impact of personal data
Where an incident may involve a personal data breach, the reporting obligation for the Data State Inspectorate should be assessed. According to Article 33 of the GDPR, notification must be made no later than 72 hours after the infringement has been established. - Perform post-analysis
Prepare an incident assessment after an incident, identify causes, document training and implement improvements to reduce the risk of recurrence of similar incidents.