Inspection list

Incident response check list

The first steps after the cyber security incident was discovered.

First steps to identify cybersecurity incidents

  1. Insulate affected system
    Immediately disconnect the affected system from the network to limit the spread of the incident. The system should not be excluded as it can destroy essential evidence.
  2. Fixed initial information
    Document the date and time of detection of the incident, the person who noticed the incident, as well as visible signs, error statements or other observed anomalies.
  3. Save Evidence
    Ensure preservation of digital evidence, e.g. create disk image, save log files, screen images and other incident related information.
  4. Inform responsible persons
    Inform the IT personnel responsible, the organisation's management and, if necessary, the data protection officer immediately.
  5. Assess the impact of personal data
    Where an incident may involve a personal data breach, the reporting obligation for the Data State Inspectorate should be assessed. According to Article 33 of the GDPR, notification must be made no later than 72 hours after the infringement has been established.
  6. Perform post-analysis
    Prepare an incident assessment after an incident, identify causes, document training and implement improvements to reduce the risk of recurrence of similar incidents.