Cybersecurity Incident Response — Education & Training Edition
A procedure for detecting, responding to, containing, and recovering from cybersecurity incidents to minimise damage and restore normal operations.
Purpose
To provide a structured and rapid response to cybersecurity incidents that protects organisational data and systems, limits the impact of security breaches, and ensures compliance with reporting obligations.
Scope
Covers all cybersecurity incidents including malware infections, unauthorised access, data breaches, phishing attacks, denial-of-service attacks, and any other events that compromise the security of IT systems or data.
Prerequisites
- Approved incident response plan with defined severity levels and escalation paths
- Incident response team with assigned roles and contact details
- Security monitoring tools and threat detection systems in place
- Communication templates and stakeholder notification procedures
Supports compliance with the ESOS framework, CRICOS requirements, ASQA standards, and state education department reporting.
Step-by-Step Procedure
Detect and Identify the Incident
Detect the security incident through monitoring systems, user reports, or threat intelligence, and confirm that a genuine security incident has occurred.
- 1.1Review security alerts from monitoring and detection systems
- 1.2Gather initial information about the nature and scope of the incident
- 1.3Classify the incident severity based on the incident classification matrix
- Document the exact time of detection and all initial observations
Activate the Incident Response Team
Notify and assemble the incident response team based on the severity classification. Establish the incident command structure.
- 2.1Notify the incident response team lead and relevant team members
- 2.2Activate the incident response communication channel
- 2.3Assign roles including incident commander, technical lead, and communications lead
Contain the Incident
Take immediate actions to contain the incident and prevent further damage or spread to other systems.
- 3.1Isolate affected systems from the network if necessary
- 3.2Block malicious IP addresses, domains, or user accounts
- 3.3Preserve forensic evidence before making changes to affected systems
- 3.4Implement temporary security measures to prevent further compromise
Investigate and Analyse
Conduct a thorough investigation to determine the root cause, attack vector, and full extent of the incident.
- 4.1Analyse system logs, network traffic, and forensic data
- 4.2Determine the attack vector and entry point
- 4.3Identify all affected systems, accounts, and data
Eradicate the Threat
Remove the root cause of the incident, including malware, compromised accounts, and exploited vulnerabilities.
- 5.1Remove malware and malicious files from affected systems
- 5.2Reset compromised credentials and enforce password changes
- 5.3Patch vulnerabilities that were exploited in the attack
Recover and Restore
Restore affected systems and data to normal operations, verifying that the threat has been fully eliminated.
- 6.1Restore systems from clean backups or rebuild as necessary
- 6.2Verify that restored systems are free from compromise
- 6.3Monitor restored systems closely for signs of re-infection or persistence
Notify Stakeholders
Communicate the incident to relevant internal and external stakeholders as required by policy and regulation.
- 7.1Notify senior management with an incident summary and impact assessment
- 7.2Determine whether regulatory notification is required and prepare accordingly
- 7.3Communicate with affected learners or partners if their data was compromised
Conduct Post-Incident Review
After the incident is resolved, conduct a review to document lessons learned and improve the incident response process.
- 8.1Conduct a post-incident review class with the response team
- 8.2Document the timeline, actions taken, and lessons learned
- 8.3Identify improvements to security controls, procedures, and response processes
Quality Checkpoints
Common Mistakes to Avoid
Expected Outcomes
Average time from the start of an incident to its detection, measuring the effectiveness of monitoring.
Average time from detection to successful containment, measuring response speed.
Average time from containment to full recovery of normal operations.
Frequently Asked Questions
When should law enforcement be contacted?
Law enforcement should be contacted for incidents involving criminal activity such as data theft, ransomware, or significant financial fraud. The decision should be made by senior management in consultation with legal counsel.
What constitutes a cybersecurity incident?
A cybersecurity incident is any event that compromises the confidentiality, integrity, or availability of information systems or data. This includes malware infections, unauthorised access, data breaches, phishing attacks, and denial-of-service attacks.
How can we prevent cybersecurity incidents?
Prevention measures include regular security patching, employee security awareness training, multi-factor authentication, network segmentation, endpoint protection, regular backups, and continuous security monitoring.
Are we required to notify regulators of a data breach?
In Australia, the Notifiable Data Breaches scheme requires notification to the Campus of the Australian Information Commissioner when a data breach is likely to result in serious harm. Other regulatory requirements may apply depending on your industry.
Want this customised for YOUR business?
We'll tailor every step to your exact operations, tools, and team structure.