JR Johnson Incident Response Checklist, Incident Response, Quick Tips

Security Incident Identification Checklist

There are several phases of a security incident that are important, but first and foremost, the identification that an incident occurred is your first opportunity to gather information and understand what is going on. It’s helpful to have a checklist that employees are aware of to take down some initial information that can help your security or IT team triage and understand an incident. This kind of security incident identification checklist can help make sure valuable information isn’t lost.

1. What Happened?

It sounds ridiculous. Of course, if you’re reporting a potential security incident you have some information about what’s going on, right? But in reality, security incidents happen fast and they can be stressful for the victim. So much like any crime, it’s helpful to get some kind of statement about what’s going on right after it happened. This prevents everyone from playing a game of telephone about the details surrounding the identification of the incident.

2. Who Noticed It?

You want to make a note of who initially noticed and reported the incident so that, in all the shuffle, you know who to go back to with questions. Hopefully, there will be enough information in the initial report a user submits. But if not, you want to make sure that you know who to go back to for more detail or even for triage/response activities.

3. When Did the Potential Security Incident Occur?

As soon as an incident is identified, your team should be trying to build as detailed a timeline as possible, starting with the initial time of identification and reporting. This will help put things like logs and response actions into a time box for increased context.

4. Where Did the Incident Occur?

Self-explanatory, but you want to make sure you understand exactly what physical locations AND network locations are affected by the incident. Understanding the exact hostname, IP address, office location, etc. will assist with triage and containment activities.

5. What is the Business Impact?

Using all of the contextual information gather up to this point, the security team and possibly even business leadership can begin to make an assessment on the potential impact to the business of this security incident. Of course at this point we are still talking about potential impact, as we haven’t done any triage or investigation and are still simply trying to fully identify what is going on. But making an initial analysis on potential impact is important, because it will allow you to assign a priority to the investigation and response.

There may be additional fields and information you’ll want to collect that is organizationally specific, but these first five things should be the core of what you need for a security incident identification checklist. If you see something we’re missing that you’ve found important or useful in your experience, please let us know on Twitter or reach out to us directly and we’d love to discuss!