Cyber Security Incident

Response Planning:
Practitioner Guide
First published: January 2022
Last updated: December 2024
Table of contents
Introduction 1
Context 1

Purpose 1

Using this guidance 1

Acknowledgements 1

Contact details 2

Authority and review 3

Document control and review 3

Version control 3

Purpose and objectives 4

Purpose 4

Objectives 4

Standards and frameworks 5

High level cyber security incident response process 6

Common cyber security incidents and responses 7

Common threat vectors 7

Common cyber security incidents 7

Roles and responsibilities 9

Points of contact for reporting cyber security incidents 9

Cyber Security Incident Response Team 9

Senior Executive Management Team 10

Roles and responsibilities 11

Communications 12
Internal communications 12

External communications 13

Supporting procedures and playbooks 14

Supporting procedures 14

Cyber Security Incident Response Planning: Practitioner Guide ii

Supporting playbooks 14

Sector, jurisdictional and national cyber security incident response arrangements 15

Sector arrangements 15

Jurisdictional arrangements 15

National arrangements 15

Cyber security incident notification and reporting 16

Legal and regulatory requirements 16

Insurance 16

Detection, investigation, analysis and activation 17

Detecting cyber security incidents 17

Cyber security incident classification 17

Cyber Security Incident Response Team activation 18

Investigation questions 18

Escalation and de-escalation 18

Containment, evidence collection and remediation 20

Containment 20

Documentation 20

Evidence collection and preservation 20

Remediation Action Plan 21

Recovery 22
Stand down 22

Learn and improve 23

Post cyber security incident review 23

Update and test Cyber Security Incident Response Plan 23

Training 24

Appendix A – Terminology and definitions 25

Appendix B – Cyber Security Incident Response Readiness Checklist 27

Appendix C – ASD cyber security incident triage questions 30

Appendix D – Situation Report Template 32

Cyber Security Incident Response Planning: Practitioner Guide iii

Appendix E – Cyber Security Incident Log Template 33

Appendix F – Evidence Register Template 34

Appendix G – Remediation Action Plan Template 35

Appendix H – Post cyber security incident reviews 36

How to use this guide 36

Post cyber security incident review steps 36

Post Cyber Security Incident Review Analysis Template 38

Appendix I – Action Register Template 44

Appendix J – Role cards 45

Appendix K – ASD Cyber Security Incident Categorisation Matrix 46

Cyber Security Incident Response Planning: Practitioner Guide iv

Introduction
Context
Australian organisations are continually targeted by malicious actors, with the Australian Signals Directorate (ASD)
assessing that malicious cyber activity against Australia’s national and economic interests is increasing in frequency,
scale and sophistication. As malicious actors become more adept, the likelihood and severity of cyber attacks is also
increasing due to the interconnectivity and availability of information technology (IT) platforms, devices and systems
exposed to the internet.

Managing responses to cyber security incidents is the responsibility of affected organisations. As such, all
organisations should have a Cyber Security Incident Response Plan (CSIRP) to ensure an effective response and
prompt recovery in the event that system controls do not prevent a cyber security incident from occurring. This plan
should be regularly tested and reviewed.

To be effective, a CSIRP should align with organisations’ emergency, crisis and business continuity arrangements, as
well as jurisdictional and national cyber and emergency arrangements. It should support personnel to fulfil their roles
by outlining their responsibilities and all legal and regulatory obligations.

While organisations are responsible for managing cyber security incidents affecting their business, Australia’s Cyber
Incident Management Arrangements outline the inter-jurisdictional coordination arrangements and principles when
responding to national cyber security incidents.

Purpose
This guidance (which acts as a CSIRP Template) and the Cyber Security Incident Response Readiness Checklist
(Appendix B) are intended to be used as a starting point for organisations to develop their own CSIRP and readiness
checklists. Each organisation’s CSIRP and checklist will need to be tailored according to their own unique operating
environment, priorities, resources and obligations.

In addition to a CSIRP, organisations can develop more detailed day-to-day processes and procedures to supplement
the CSIRP. This could include detailed playbooks to aid in the response to common types of cyber security incidents,
such as ransomware or data breaches, and Standard Operating Procedures (SOPs) to respond to cyber security
incidents affecting specific assets.

Using this guidance

This guidance is designed to assist organisations in the development of their own CSIRP as part of cyber security
incident response planning activities. As part of this guidance, a separate CSIRP Template is available for organisations
to fill in with some fields containing example text for demonstrative purposes. Note, the CSIRP Template is not
exhaustive. Each organisation’s CSIRP should be tailored according to their own unique operating environment,
priorities, resources and obligations.

Acknowledgements
This guidance was created using multiple resources. ASD acknowledges the following resources used in its
development:

 ASD Information Security Manual

Cyber Security Incident Response Planning: Practitioner Guide 1

  Australian Prudential Regulation Authority Prudential Practice Guide CPG 234 Information Security

 CSIRP Template developed by the Australian Energy Sector Readiness and Resilience Working Group in 2019,
specifically with support from the Australian Energy Market Operator, Tasmanian Department of State Growth,
the Victorian Government Department of Premier and Cabinet and ASD

 Queensland Government Incident Management Guideline

 Victorian Government Cyber Incident Management Plan and Cyber Incident Response Plan Template

 Cybersecurity & Infrastructure Security Agency Federal Government Cybersecurity Incident and Vulnerability
Response Playbooks

 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2, Computer Security
Incident Handling Guide

 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27035-

1:2023, Information technology – Information security incident management – Part 1: Principles and process

 ISO/IEC 27035-2:2023, Information technology – Information security incident management – Part 2: Guidelines
to plan and prepare for incident response

 ISO/IEC 27035-3:2020, Information technology – Information security incident management – Part 3: Guidelines
for ICT incident response operations.

Contact details
If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).

Cyber Security Incident Response Planning: Practitioner Guide 2

Authority and review
Include information about the document owner, document reviewer, approver, version control and date of next
review or other thresholds to review the CSIRP. For example, a CSIRP could be reviewed on a time bound basis, such
as bi-annually or annually. A CSIRP could also be reviewed when implementing changes following a cyber security
incident, a cyber security exercise or organisational shifts. Finally, a CSIRP could be reviewed following changes to
relevant policies, plans, legislation, regulation or jurisdictional arrangements.

Document control and review

Document Control

Author Person responsible for developing the CSIRP.

Owner The risk owner or role responsible for enacting the CSIRP.

Date created

Last reviewed by

Last date reviewed

Endorsed by and date

Next review due date

Version control

Version Date of Approval Approved By Description of Change

0.1 20/06/2022 Action Officer Initial Draft

Cyber Security Incident Response Planning: Practitioner Guide 3

Purpose and objectives
Include the purpose and objectives of the CSIRP.

Purpose
To support a swift and effective response to cyber security incidents aligned with the organisation’s security and
business objectives.

Objectives
 To provide guidance on the steps required to respond to cyber security incidents.

 To outline the roles, responsibilities, accountabilities and authorities of personnel and teams required to manage
responses to cyber security incidents.

 To outline legal and regulatory compliance requirements for cyber security incidents.

 To outline internal and external communication processes when responding to cyber security incidents.

 To provide guidance on post cyber security incident activities to support continuous improvement.

Cyber Security Incident Response Planning: Practitioner Guide 4

Standards and frameworks
Include the relevant standards and frameworks used to inform the CSIRP.

 National standards and frameworks:

 Information Security Manual

 Prudential Practice Guide CPG 234 Information Security

 Australian Energy Sector Cyber Security Framework

 State/Territory Government standards and frameworks

 New South Wales Government Cyber Security Incident Emergency Sub Plan

 Queensland Government Incident Management Guideline

 South Australian Government Cyber Security Incident Management

 Tasmanian Government Incident Management Cyber Security Standard

 Victorian Government Cyber Incident Management Plan

 Western Australian Government Cyber Security Incident Coordination Framework

 International standards and frameworks:

 NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide

 ISO/IEC 27035-1:2023, Information technology – Information security incident management – Part 1:

Principles and process

 ISO/IEC 27035-2:2023, Information technology – Information security incident management – Part 2:

Guidelines to plan and prepare for incident response

 ISO/IEC 27035-3:2020, Information technology – Information security incident management – Part 3:

Guidelines for ICT incident response operations.

Cyber Security Incident Response Planning: Practitioner Guide 5

High level cyber security incident response
process
Include a summary of the cyber security incident response process.

Cyber Security Incident Response Planning: Practitioner Guide 6

Common cyber security incidents and responses
Include commonly used terms and their definitions. A list of commonly used terms and definitions is provided at
Appendix A.

Common threat vectors

Include a summary of common threat vectors.

Type Description

Attrition An attack that employs brute force methods to compromise, degrade or destroy systems,
services or networks (e.g. a Distributed Denial of Service intended to impair or deny access
to a service or application; or a brute force attack against an authentication mechanism,
such as passwords or digital signatures).

Email An attack executed via an email message or attachment (e.g. exploit code disguised as an
attached document or a link to a malicious website in the body of an email message).

External/Removable An attack executed from removable media or a peripheral device (e.g. malicious code
Media spreading to a system from infected removable media).

Impersonation An attack involving replacement of something benign with something malicious (e.g.
spoofing, person-in-the-middle attacks, rogue wireless access points and SQL injection
attacks).

Improper usage Any event resulting from the violation of an organisation’s acceptable usage policies by an
authorised user (e.g. a user installs file sharing software, leading to the loss of sensitive data;
or a user performs illegal activities on a system).

Loss or theft of The loss or theft of a computing device or media used by an organisation, such as a laptop,
equipment smartphone or authentication token.

Web An attack executed from a website or web-based application (e.g. a cross-site scripting
attack used to steal credentials or redirect to a site that exploits a web browser vulnerability
and installs malware).

Other An attack that does not fit into any of the above categories.

Common cyber security incidents

Include a summary of common cyber security incident types and the initial response activities.

Type/Description Response

Data breach: Unauthorised access and disclosure of

data.

Cyber Security Incident Response Planning: Practitioner Guide 7

 Denial of Service and Distributed Denial of Service:
Overwhelming a service with traffic, sometimes
impacting availability.

Industrial Control System compromise: Unauthorised

access to an Industrial Control System.

Malware: A trojan, virus, worm or any other malicious

software that can harm systems, services or networks.

Phishing: Deceptive messaging designed to elicit users’

sensitive data (such as banking logins or business login
credentials) or used to execute malicious code to enable
remote access.

Ransomware: A tool used to lock or encrypt victims’

files until a ransom is paid.

Cyber Security Incident Response Planning: Practitioner Guide 8

Roles and responsibilities
Include details of the roles and responsibilities of core personnel and teams responsible for cyber security incident
response and decision making. At a minimum, include the personnel responsible for receiving the initial notification,
the operational level Cyber Security Incident Response Team (CSIRT) and the strategic level Senior Executive
Management Team (SEMT).

All personnel listed should be familiar with their responsibilities in the CSIRP and have practise their response.

Points of contact for reporting cyber security incidents

Include details about primary and secondary internal points of contact for personnel or stakeholders to report cyber
security incidents to over a 24/7 period.

Name Availability Contact Details Role/Title Responsibilities

On-call point of  Primary point of contact

contact

Cyber Security Incident Response Team

Include details of the CSIRT personnel responsible for managing responses to cyber security incidents. The
composition of the CSIRT will vary depending on the size of an organisation and available skills and resources.

Include details of any 3rd party vendors that provide or manage systems, services and/or networks. If applicable,
include details of external cyber security incident response providers and the services they provide.

Name Availability Contact Details Role/Title Responsibilities

Cyber Security  Response planning

Incident Manager  CSIRT operations

Deputy Cyber  Situational analysis

Security Incident  Threat intelligence
Manager
 Technical advice

Security Manager  Investigation (if suspected

malicious insider)
 Law enforcement liaison

Cyber Security  Technical investigation

Incident (collection and processing of
Responder network and host data)
 Containment, remediation
and recovery efforts
 Investigation findings report

Cyber Security Incident Response Planning: Practitioner Guide 9

 Communications,  Internal communications
Engagement and  Media and community liaison
Media Advisor

Other CSIRT roles could include system administrators, network engineers, change managers, internal auditors, legal
advisors, finance and procurement specialists, and administration and recording keeping personnel.

Surge arrangements

Include process for implementing surge arrangements, the resources involved in those arrangements and thresholds
for triggering those surge arrangements. Surge arrangements can include, but are not limited to people, hardware,
software and financial resources.

Senior Executive Management Team

Significant cyber security incidents may require the formation of the SEMT to provide strategic oversight, direction
and support to the CSIRT, with a focus on:

 strategic issues identification and management

 stakeholder engagement and communications (including Board and ministerial liaison, if applicable)

 resource and capability demand (including urgent logistics or finance requirements, and human resources
considerations during response effort).

Include details of the SEMT responsible for managing responses to cyber security incidents. The composition and roles
of the SEMT may vary depending on the cyber security incident impact and size and structure of an organisation, as
some roles may not be relevant or multiple roles may be held by the same individual.

Name Availability Contact Details Role/Title Responsibilities

Chief Executive  SEMT Chair

Officer

Chief Information  SEMT Deputy Chair

Officer

Chief Information  SEMT Deputy

Security Officer

Chief Operating  Operational functions of the

Officer business

Chief Financial  Emergency procurement and

Officer/Procurement expenditure oversight
Manager

Legal Council  Regulatory compliance, cyber

insurance

Cyber Security Incident Response Planning: Practitioner Guide 10

 Media and  Public relations and
Communications stakeholder engagement
Manager

People and Culture  Personnel welfare

Manager management

Roles and responsibilities

Include a diagram picturing the relationship between the key personnel and teams involved in cyber security incident
response. For example, the below diagram is taken from the Queensland Government Incident Management
Guideline.

Cyber Security Incident Response Planning: Practitioner Guide 11

Communications
Include the process for managing internal and external communications. Be prepared to:

 support the CSIRT and SEMT communications requirements

 respond to potential increases in internal and external enquiries or complaints about the cyber security incident
or the effects, with common questions including:

 How will the customer helpdesk manage enquiries and be supported?

 How will the IT helpdesk (or equivalent) manage enquiries and be supported?

 What communication channels are available to affected customers (e.g. telephone hotline, information on
the website or social media)?

 communicate externally about the cyber security incident, including to the public and the media:

 Who has the primary responsibility for authorising and speaking on behalf of the organisation? How will this
person be supported?

 Who has responsibility for producing and approving information for release to the public and media?

 monitor news media, social media and other forms of media and use it to support communications.

Include details for backup communication channels to communicate with stakeholders and customers.

Internal communications
Include the process and expected timeframes to communicate relevant cyber security incident information to
personnel (for example, system users, customer service teams, senior executives and the Board).

In internal messaging, consider how to inform personnel about the cyber security incident and support business
continuity. Consider providing:

 a brief summary of the cyber security incident and business impact

 actions currently being undertaken to resolve the cyber security incident

 actions personnel can take to assist

 business continuity options for personnel who are affected by the cyber security incident

 messaging for external stakeholders

 key points of contact for enquiries

 expected timeframes for further updates.

Cyber Security Incident Response Planning: Practitioner Guide 12

External communications
Include the process and timeframes to communicate relevant cyber security incident information to external
stakeholders and customers.

Depending on the impact and severity of the cyber security incident, it may be necessary to communicate with:

 stakeholders required to support with cyber security incident response activities such as government bodies,
third party cyber security incident response, law enforcement, insurance providers and/or sector organisations

 the media and customers seeking information about the cyber security incident, such as the general public,
government bodies, clients, shareholders, suppliers and/or sector organisations.

In external messaging, consider how to inform external stakeholders and customers about the cyber security incident
based upon their role or interest. Consider:

 information they need to know:

 systems, services or networks affected

 steps being taken to resolve the cyber security incident

 who is supporting cyber security incident remediation activities

 any options or actions for stakeholders affected by the cyber security incident to take

 key points of contact for enquiries

 expected timeframes for further updates.

Consider supporting requests for information from interested sector and government bodies following the cyber
security incident for the purpose of information sharing and learning from the experience.

Cyber Security Incident Response Planning: Practitioner Guide 13

Supporting procedures and playbooks
Supporting procedures
Include a list of SOPs developed to support cyber security incident response, and their physical and electronic
locations. Examples of SOPs are:

 event detection, triage and analysis

 post cyber security event/incident detection or notification

 cyber security incident detection, investigation and analysis

 cyber security incident containment, remediation and recovery

 Communications Plan (internal and external)

 Emergency Management Plan

 Crisis Management Plan

 Business Continuity Plan

 Disaster Recovery Plan.

Supporting playbooks
Playbooks are documents that are intended to contain easy to follow instructions to assist in ensuring all appropriate
steps are taken when responding to specific types of cyber security incidents. Include a list of playbooks and their
physical and electronic locations. Example cyber security incidents that may have a playbook are:

 Cyber Security Incident Response Playbook – Phishing

 Cyber Security Incident Response Playbook – Data Breach/Theft

 Cyber Security Incident Response Playbook – Malware

 Cyber Security Incident Response Playbook – Ransomware

 Cyber Security Incident Response Playbook – Denial of Service.

Cyber Security Incident Response Planning: Practitioner Guide 14

Sector, jurisdictional and national cyber security
incident response arrangements
Include information about the relevant sector, state and/or territory and national arrangements for cyber security
incident related activities, including, but not limited to, notification, reporting and/or seeking additional support.

The CSIRP could include a process chart of when to report cyber security incidents to relevant government bodies
and/or seek assistance.

Sector arrangements
Include information about the relevant sector arrangements and the process for implementing these arrangements.

Jurisdictional arrangements
Each state/territory jurisdiction has its own cyber security incident response arrangements. Organisations should
contact the relevant government body in their jurisdiction to understand the arrangements that apply.

Include information about the process for reporting to and/or seeking assistance from state/territory law
enforcement.

National arrangements
Include information about the process for reporting to and/or seeking assistance from Federal Government bodies.
For example, Australia’s Cyber Incident Management Arrangements outline the inter-jurisdictional coordination
arrangements and principles when responding to national cyber security incidents.

Examples of potential national cyber security incidents include:

 an organisation with links across multiple jurisdictions being compromised through a cyber security incident

 malicious cyber activity affecting critical national infrastructure where the consequences have the potential to
cause sustained disruption of essential services or threaten national security

 malicious cyber activity where the cause and potential extent of its geographic impact is uncertain

 a large-scale breach of sensitive data affecting persons or organisations in multiple jurisdictions.

ASD leads the Australian Government’s response to cyber security incidents. For information on how to report cyber
security incidents to ASD, and to seek advice and assistance, visit ASD’s reporting website.

ASD takes the protection of information seriously. Under the limited use obligation, information voluntarily provided
to ASD about cyber security incidents, potential cyber security incidents or vulnerabilities impacting organisations
cannot be used for regulatory purposes.

Appendix C lists some of the common triage questions ASD will use to assess the severity of a reported cyber security
incident.

Cyber Security Incident Response Planning: Practitioner Guide 15

Cyber security incident notification and reporting
Include internal and external processes for cyber security incident notification and reporting. Consider sector,
state/territory and national cyber security incident notification and reporting obligations.

Include details about who is responsible for cyber security incident notification and reporting to external entities.

Type Organisation Reporting Contact Details Key Reporting Requirements Reporting

to Notify Personnel

Ransomware ASD https://www.cyber.gov.au/ab https://www.cyber.gov.au/re Chief

out-us/about-asd- port-and-recover/report Information
acsc/contact-us Security
Officer (CISO)

Data breach Office of the https://www.oaic.gov.au/con https://www.oaic.gov.au/priv CISO

Australian tact-us acy/notifiable-data-
Information breaches/report-a-data-
Commissioner breach
(OAIC)

Legal and regulatory requirements

Include details about any legal and regulatory obligations, such as contractual and legislative reporting requirements.
Work with any compliance and legal personnel to ensure the CSIRP covers all relevant requirements, noting that
different cyber security incidents may require different or multiple legal and regulatory responses.

The CSIRP could include a process chart of when to report cyber security incidents to relevant government bodies,
regulators and other external parties.

Insurance
Include relevant details about any insurance policies for cyber security incidents.

Cyber Security Incident Response Planning: Practitioner Guide 16

Detection, investigation, analysis and activation
Include the decision making framework for activating the CSIRP.

Detecting cyber security incidents

Cyber security incidents could be detected in several ways, including, but not limited to:

 self-detected (e.g. via Intrusion Detection and Prevention Systems)

 notifications received from service providers or vendors

 notifications received from trusted third parties, such as ASD.

Cyber security incident classification

Include the framework and decision making process for classifying a cyber security incident. This can assist with
prioritising resources. Classification factors could include:

 effects of the cyber security incident (confidentiality, integrity and availability of systems and their resources)

 stakeholders affected (internal and external)

 cyber security incident type

 impact on the business and community.

Classification Description

Critical  Over 80% of personnel (or several critical staff/teams) unable to work.
 Critical systems offline.
 High risk to/definite breach of sensitive client or personal data.
 Financial impact greater than $100,000.
 Severe reputational damage – likely to impact business long term.

High  50% of personnel unable to work.

 Non-critical systems affected.
 Risk of breach of personal or sensitive data.
 Financial impact greater than $50,000.
 Potential serious reputational damage.

Medium  20% of personnel unable to work.

 Small number of non-critical systems affected.
 Possible breach of small amounts of non-sensitive data.
 Financial impact greater than $25,000.
 Low risk to reputation.

Cyber Security Incident Response Planning: Practitioner Guide 17

 Low  <10% of non-critical personnel affected temporarily (short term).
 Minimal, if any, impact.
 One or two non-sensitive/non-critical machines affected.
 No breach of data.
 Negligible risk to reputation.

For information about the ASD Cyber Security Incident Categorisation Matrix see Appendix K.

Cyber Security Incident Response Team activation

Include the decision making framework for activating the CSIRT. This could align with the cyber security incident
classification framework. Note, some smaller cyber security incidents may be manageable without activation of the
CSIRT.

Logistics and communications

Include core logistical and communications protocols and mechanisms used to support cyber security incident
response. For example:

 operations room/security operations centre (SOC) location and setup

 equipment required for offsite cyber security incident response

 communications technologies such as phone/teleconference/online dial-in details and out-of-band

communications (e.g. Slack or other similar applications).

Investigation questions
To guide cyber security incident response efforts, and understanding of the scope and impact of the cyber security
incident, develop a list of investigation questions. Note, not all questions may be answerable with the data available
and questions may change as investigations progress.

Possible investigation questions include:

 What was the initial intrusion vector?

 What post-exploitation activity occurred? Have accounts been compromised? What level of privilege was
involved?

 Does the malicious actor have persistence on systems, services or networks?

 Is lateral movement suspected or known? Where has the malicious actor laterally moved to and how?

 How is the malicious actor maintaining command and control?

 Has data been accessed or exfiltrated and, if so, what kind of data?

Escalation and de-escalation

Include the escalation and de-escalation triggers and/or thresholds and decision making authorities.

Cyber Security Incident Response Planning: Practitioner Guide 18

 Classification Action Triggers/Thresholds for Escalation and De- Minimum Level
escalation of Authority

Critical De-escalation to High

High Escalation to Critical

De-escalation to Medium

Medium Escalation to High

De-escalation to Low

Low Escalation to Medium

Cyber Security Incident Response Planning: Practitioner Guide 19

Containment, evidence collection and
remediation
Containment
Containment actions are implemented in order to minimise damage, prevent the cyber security incident from
spreading or escalating, and prevent malicious actors from destroying evidence.

When planning containment actions, consider:

 any additional impacts there could be to systems, services or networks

 time and resources required to contain the cyber security incident

 effectiveness of the containment solution (e.g. partial vs full containment)

 duration that the containment solution will remain in place (e.g. temporary vs permanent solution).

Documentation
Include processes and procedures for documenting the cyber security incident, including responsible personnel and
timeframes. Refer to Appendix D for a Situation Report Template and Appendix E for a Cyber Security Incident Log
Template.

Situation Reports may contain the following information:

 cyber security incident date and time

 status of the cyber security incident

 cyber security incident type and classification

 cyber security incident scope and impact

 cyber security incident severity

 external assistance required

 actions taken to resolve the cyber security incident

 contact details for key CSIRT personnel

 date and time of the next update.

Evidence collection and preservation

Include processes and procedures for collecting, preserving, handling and storing evidence, including responsible
personnel and timeframes. As this can be complex, if necessary, seek advice from digital forensic professionals, legal
advisors or law enforcement.

Cyber Security Incident Response Planning: Practitioner Guide 20

When gathering evidence, maintain a detailed log that clearly documents how all evidence has been collected. This
should include who collected or handled the evidence, the time and date (including time zone) evidence was collected
and handled, and the details of each item collected (including the physical location, serial number, model number,
hostname, media access control [MAC] address, Internet Protocol [IP] address and hash values). See Appendix F for a
template.

Examples of commonly collected evidence include:

 hard drive/host images

 network packet captures and flows

 IP addresses

 log files

 network diagrams

 configuration files

 databases

 investigation notes

 screenshots

 social media posts

 close-circuit television, video and audio recordings.

Remediation Action Plan

Include processes and procedures for developing and implementing a Remediation Action Plan to resolve the cyber
security incident following successful containment and evidence collection. See Appendix G for a template.

When developing the Remediation Action Plan, consider:

 What actions are required to resolve the cyber security incident?

 What resources are required to resolve the cyber security incident (if not already included in the CSIRT)?

 Are there additional external resources required?

 Who is responsible for remediation actions?

 What systems, services or networks should be prioritised?

 What systems, services or networks will be affected during the remediation process?

 How will these systems, services or networks be affected?

 What is the expected resolution time?

Cyber Security Incident Response Planning: Practitioner Guide 21

Recovery
Include processes and procedures for developing, authorising and executing an agreed Recovery Plan.

The Recovery Plan should detail the approach to recovering IT and/or operational technology (OT) systems, services
and networks once containment and remediation is complete.

When developing the Recovery Plan, consider:

 How will systems, services and networks be restored to normal operation and in what timeframe?

 How will systems, services and networks be monitored to ensure they are no longer compromised and are
functioning as expected?

 How will identified vulnerabilities be managed to prevent similar cyber security incidents from occurring in the
future?

Stand down
Include decision making processes and procedures for standing down the CSIRT and SEMT.

Include the processes and procedures for completing a Cyber Security Incident Report, including responsible
personnel and timeframes. Consider creating a Cyber Security Incident Report Template as an appendix to the CSIRP.

Cyber Security Incident Response Planning: Practitioner Guide 22

Learn and improve
Include an approach to capture lessons learn from the cyber security incident.

Post cyber security incident review

A post cyber security incident review is a detailed review conducted after an organisation has experienced a cyber
security incident. It can include a hot debrief which is held immediately after an organisation has recovered its
systems, services or networks from a cyber security incident and/or a formal debrief held after the Cyber Security
Incident Report has been completed, such as within two weeks.

Key questions to consider during a post cyber security incident review include:

 What were the root causes of the cyber security incident?

 Could the cyber security incident have been prevented? How?

 What worked well in the response to the cyber security incident?

 How could our response be improved for future cyber security incidents?

Refer to Appendix H for more detailed questions to consider in post cyber security incident reviews.

Recommendations that arise from the review can be documented in a corresponding Action Register. Refer to
Appendix I for an Action Register Template.

PPOSTTE model

The PPOSTTE model can assist in reflecting on key elements of the cyber security incident response:

 People: Roles, responsibilities, accountabilities, skills.

 Process: Plans, policies, procedures, protocols, processes, templates, arrangements.

 Organisation: Structures, culture, jurisdictional arrangements.

 Support: Infrastructure, facilities, maintenance.

 Technology: Equipment, systems, standards, security, inter-operability.

 Training: Qualifications/skill levels, identification of required courses.

 Exercise management: Exercise development, structure, management, conduct.

Update and test Cyber Security Incident Response Plan

The post cyber security incident review may result in changes to the CSIRP, playbooks and templates. Changes should
be communicated to the relevant personnel.

Cyber Security Incident Response Planning: Practitioner Guide 23

Significant changes may require the CSIRP, playbooks and templates to be tested. Regular testing is important to
ensure these documents remain current and are familiar to relevant personnel. Testing methods could include
tabletop exercises or functional exercises.

Training
Include training activities, and associated support, required for personnel to effectively undertake their roles when
responding to a cyber security incident.

The post cyber security incident review may identify additional specialised training for personnel involved in cyber
security incident response or general cyber security awareness training for all personnel.

Cyber Security Incident Response Planning: Practitioner Guide 24

Appendix A – Terminology and definitions
Use of consistent and pre-defined terminology to describe cyber security incidents and their effects can be helpful as
part of cyber security incident response planning.

Cyber threat

A cyber threat is any circumstance or event with the potential to harm systems or data.

Examples of cyber threats include (but are not limited to):

 business email compromise

 cybercrime

 cyber supply chain compromise

 exploitation of vulnerabilities

 phishing emails and scams

 ransomware.

Cyber security alert

A cyber security alert is a notification generated in response to a deviation from normal behaviour. Cyber security
alerts are used to highlight cyber security events.

Cyber security event

A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security
policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Examples of cyber security events include (but are not limited to):

 a user has disabled the antivirus on their computer

 a user has deleted or modified system files

 a user restarted a server

 unauthorised access to a server or computer.

Cyber security incident

An unwanted or unexpected cyber security event, or a series of such events, that either has compromised business
operations or has a significant probability of compromising business operations.

Examples of cyber security incidents include (but are not limited to):

 denial-of-service attacks

Cyber Security Incident Response Planning: Practitioner Guide 25

  unauthorised access or attempts to access a system

 compromise of sensitive data

 virus or malware outbreak (including ransomware).

Cyber Security Incident Response Planning: Practitioner Guide 26

Appendix B – Cyber Security Incident Response
Readiness Checklist
This checklist is provided to aid the initial assessment of an organisation’s readiness to respond to a cyber security
incident. This checklist is not an exhaustive list of all readiness activities.

PREPARATION

Your organisation has a cyber security policy or strategy that outlines your organisation’s approach to
prevention, preparedness, detection, response, recovery, review and improvement. For example, your
☐ organisation has a position on not paying ransoms, reporting cyber security incidents to government,
publicly acknowledging cyber security incidents, and sharing information about cyber security incidents
with trusted industry and government partners.

A CSIRP has been developed which:

 aligns with your organisation’s operating environment, including emergency management and
business continuity processes and procedures
☐  has been reviewed or tested in an exercise to ensure it is current and responsible personnel are aware
of their roles and responsibilities
 includes supporting templates, for example Situation Reports.

Personnel involved in managing cyber security incidents have received cyber security incident response
☐ training.

Up-to-date hard copy versions of the CSIRP and playbooks are stored in a secure location (in case of
☐ electronic or hardware failure) and are accessible to authorised personnel.

Specific playbooks to supplement the CSIRP have been developed and define step-by-step guidance for
☐ response actions to common cyber security incidents.

A CSIRT and SEMT, or equivalents, have been identified to manage any responses to cyber security
☐ incidents.

All relevant IT and OT SOPs are documented and have been reviewed or tested in an exercise to ensure
☐ they are current and responsible personnel are aware of their roles and responsibilities.

Arrangements for service providers, including cloud and managed services, to provide and retain logs
☐ have been established and tested to ensure they include useful data which can be provided in a timely
manner.

Log retention mechanisms for critical systems, services and networks have been adequately configured
☐ and tested to ensure that they capture useful data.

Your organisation has internal or third party arrangements and capabilities to detect and analyse cyber
☐ security events/incidents. If these capabilities are outsourced, your organisation has an active service
agreement/contract.

Cyber Security Incident Response Planning: Practitioner Guide 27

 ☐ Critical assets (systems, services and networks) have been identified and documented.

SOPs have been developed, and roles and responsibilities assigned, for use of facilities and
☐ communications technologies in response to cyber security incidents, and these resources are confirmed
as available. This includes for alternative/backup IT-based communication channels.

Cyber security incident logging/records and tracking technologies used to manage any response to cyber
☐ security incidents are confirmed as available and have been tested.

☐ Role cards have been developed for personnel involved in the CSIRT and the SEMT.

Your organisation has internal or third party arrangements and capabilities to monitor cyber threats.
Situational awareness information is collected from internal and external data sources, including:
 local system and network traffic and activity logs
☐  news concerning political, social or economic activities that might impact cyber security incident
activity
 external feeds on cyber security incident trends, new attack vectors, current attack indicators and new
mitigation strategies and technologies.

DETECTION, INVESTIGATION, ANALYSIS AND ACTIVATION

SOPs have been developed, and roles and responsibilities assigned, for:

Detection mechanisms which can be used to identify cyber security events/incidents, such as scanning,
sensor and logging mechanisms. These mechanisms require monitoring processes to identify unusual or
suspicious activity commensurate with the potential impact of a cyber security incident.
Common monitoring techniques include:
 network and user profiling that establishes a baseline of normal activity which, when combined with
logging and alerting mechanisms, can enable detection of anomalous activity
 scanning for the introduction of unauthorised hardware and software
☐  scanning for unauthorised changes to hardware and software configurations
 sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and
network activity)
 logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential
unauthorised access
 users with privileged access accounts subject to a greater level of monitoring in light of the heightened
risks involved.

Cyber security incident detection, including self-detected cyber security incidents, notifications received
☐ from service providers or vendors, and notifications received from trusted third parties (e.g. ASD).

Cyber security incident analysis, including how cyber security incidents are to be categorised, classified
☐ and prioritised, and controls related to how data is stored and transmitted.

☐ Activating a CSIRT to manage cyber security incidents, with roles and responsibilities assigned.

Cyber Security Incident Response Planning: Practitioner Guide 28

 ☐ Activating a SEMT to manage cyber security incidents, with roles and responsibilities assigned.

CONTAINMENT, EVIDENCE COLLECTION AND REMEDIATION

SOPs, playbooks and templates have been developed, and roles and responsibilities assigned, for
☐ containment, evidence collection and remediation.

A secure location is available for storing data captured during cyber security incidents, which could be
☐ used as evidence of the malicious actor’s tradecraft, and is ready to be provided to third-party
stakeholders if requested.

COMMUNICATIONS

SOPs, playbooks and templates have been developed to support communicating with internal and
☐ external stakeholders.

SOPs, playbooks and templates for media and communications professionals have been developed, and
☐ roles and responsibilities assigned, to support public and media messaging.

You organisation has assigned a public and media spokesperson who is supported by technical subject
☐ matter experts.

Personnel have been trained to implement communications processes and execute their roles and
☐ responsibilities.

All personnel are cognisant of your organisation’s policy, and their responsibilities, when a cyber security
☐ incident occurs (e.g. exercising discretion, using approved talking points, referring enquiries to the
designated public and media spokesperson).

CYBER SECURITY INCIDENT NOTIFICATION AND REPORTING

Processes and procedures are documented to support your organisation to meet its legal and regulatory
requirements on cyber security incident notification and reporting with roles and responsibilities within
☐ your organisation assigned. This includes the processes for obtaining authority to release and share
information.

☐ Processes and procedures are documented for communicating with any cyber insurance providers.

POST CYBER SECURITY INCIDENT REVIEW

Processes are procedures are documented to support post cyber security incident reviews following the
☐ resolution of cyber security incidents, with Post Cyber Security Incident Review Reports submitted to
management for endorsement.

Processes and procedures are documented to ensure actions following cyber security incidents and/or
☐ exercises are tracked and completed (e.g. within an Action Register).

Cyber Security Incident Response Planning: Practitioner Guide 29

Appendix C – ASD cyber security incident triage
questions
Where applicable, personnel reporting cyber security incidents to ASD on behalf of their organisation should try to
have information available to answer the following questions:

 Who is reporting the cyber security incident? (e.g. CISO, SOC Manager)

 Who/what is the affected organisation/entity?

 What type of cyber security incident is being reported? (e.g. ransomware, denial of service, data breach,
malware)

 Is the cyber security incident still active?

 When was the cyber security incident first identified?

 Is reporting for ASD awareness or is ASD assistance required?

 If ASD assistance is required, what assistance is required?

 What type of system, service or network has been affected?

 What was observed (e.g. the sequence of events)?

 date/time

 effect/event

 Who or what identified the problem?

 Has a data breach occurred?

 What type of data was exposed?

 What volume of data was exposed?

 What impact will this have on your organisation?

 What impact (if any) will the data breach have on public safety or services?

 Was it a misconfiguration/error, or was a malicious exfiltration or theft of data identified?

 If applicable under the Notifiable Data Breaches scheme, has it been reported to the OAIC?

 What actions have been taken to rectify the issue?

 Are internal or external cyber security incident response providers involved?

 Are business as usual operations interrupted? If so, how long before operations will be back to normal?

Cyber Security Incident Response Planning: Practitioner Guide 30

  Will information about the cyber security incident be communicating publicly (e.g. with customers and/or the
media)?

 If so, please notify ASD beforehand if you will be referencing ASD.

Cyber Security Incident Response Planning: Practitioner Guide 31

Appendix D – Situation Report Template
Date of Entry: Time of Entry: Author:

Date/time cyber security incident

was detected

Current cyber security incident status New, In Progress, Resolved

Cyber security incident type

Cyber security incident classification Critical, High, Medium, Low

List the affected systems, services and/or networks; highlight any change
Cyber security incident scope
to scope since the previous log.

List the affected stakeholder(s); highlight any change in impact since the
Cyber security incident impact
previous log entry.

Outline the impact of the cyber security incident on your organisation(s)

Cyber security incident severity and public safety or services; highlight any change to severity since the
previous log entry.

What other organisations need to be notified? (e.g. ASD, law enforcement,

Notifications Actioned/Pending
OAIC, customers, media)

What assistance is required from other organisations? (e.g. ASD, law

Assistance required
enforcement)

Actions being taken to resolve the

cyber security incident

Additional notes

Contact details for the cyber security

incident manager (and others if
required)

Date and time of the next update

Cyber Security Incident Response Planning: Practitioner Guide 32

Appendix E – Cyber Security Incident Log Template
Date/Time Notes (relevant facts, decisions, rationale)

20220330 – 0835hrs SOC identified phishing that resulted in the successful deployment of ransomware to the system.

20220331 – 1455hrs CSIRT collected forensic artefacts (listed in the Evidence Register). An initial investigation has assessed the cyber security incident as ‘High’.
The following systems are currently offline: ...

20220401 – 1150hrs SEMT voted to escalate the cyber security incident to ‘Critical’.
Next actions were agreed to as follows: …

Cyber Security Incident Response Planning: Practitioner Guide 33

Appendix F – Evidence Register Template
Date/Time and Collected by Item Details Storage Location and Label Access
Location of (name, title, contact (quantity, serial number, model number, hostname, MAC Number
Collection and phone number) address, IP addresses and hash values)

20220402 – 1200hrs Jane Doe – CSIRT – 1 x disk and memory image, XYZ Desktop, ABC Model Stored on hard drive asset number CSIRT team, law
– Head Office Contact Details Number, IP ###.###.###.###, ... ####, in IT Security Office and on enforcement, ASD
network drive H:\...

Cyber Security Incident Response Planning: Practitioner Guide 34

Appendix G – Remediation Action Plan Template
Date/Time Category Action Action Owner Status
(Contain, Eradicate, (Unallocated, In
Recover) Progress, Closed)

20220425 – 0900hrs Contain Isolated hosts identified as infected per CSIRT investigation. CSIRT Team Leader In Progress

Cyber Security Incident Response Planning: Practitioner Guide 35

Appendix H – Post cyber security incident
reviews
A post cyber security incident review is a detailed review conducted after an organisation has experienced a cyber
security incident. The content of the review will vary for each organisation, but primarily focuses on establishing
learnings and providing recommended actions to mitigate future cyber security incidents. The purpose of this guide is
to provide organisations that have experienced a cyber security incident with tools and techniques to conduct a post
cyber security incident review.

How to use this guide

This guide contains high level steps recommended for organisations to follow after experiencing a cyber security
incident. The guide should be used as a resource, and will need to be further tailored by organisations to suit their
individual requirements. The templates provided are generic and will need to be tailored to suit specific organisational
requirements.

Post cyber security incident review steps

Step 1 – Hold cyber security incident debriefs

Post cyber security incident debriefs are useful for capturing observations from personnel directly involved in
managing a cyber security incident and identifying actions to improve how their organisation managed its response, as
well as how the cyber security incident could have been prevented. There are two types of debriefs organisations may
hold after experiencing a cyber security incident: a hot debrief and a formal debrief (also known as a cold debrief).

A hot debrief is held immediately after an organisation has recovered its systems, services or networks from a cyber
security incident. The benefits of holding a hot debrief include:

 the team involved in responding to the cyber security incident can provide instant feedback and lessons learned

 any urgent issues identified during the cyber security incident can be addressed immediately

 personnel involved in the cyber security incident are more likely to recall information and detail as it is still fresh
in their minds.

A formal debrief is held days to weeks after an organisation has recovered its systems, services or networks from a
cyber security incident. The benefits of holding a formal debrief include:

 it provides an opportunity to discuss the cyber security incident in detail after it is resolved to gather key
insights, learnings and opportunities for improvement

 it provides time between the cyber security incident and debrief allowing emotions to settle, particularly for
stressful cyber security incidents

 it ensures all key personnel required for discussions are present, especially senior management who will need to
drive the implementation of actions.

Hot debrief guidance

Time

Cyber Security Incident Response Planning: Practitioner Guide 36

30 minutes – 1 hour.

Aim

The aim of the hot debrief is to review the cyber security incident, receive feedback on personnel observations and
insights, and identify any urgent issues requiring immediate action.

Participants

The hot debrief should be led by a facilitator (such as a manager who was involved during the cyber security incident)
and supported by a scribe whose role is to document attendance, key insights and immediate actions. It is
recommended that hot debrief participants include all personnel involved during the detection, response and
recovery phases of the cyber security incident, with upper management excluded (e.g. Chief Executive Officers and
General Managers). This will ensure personnel involved in the cyber security incident can speak openly without fear of
repercussion.

Content

The facilitator could guide discussion using the following questions:

 What went well?

 What could we do differently next time to improve?

 What action has been taken to remediate immediate risk?

 Are there any further issues that require immediate resolution?

Note, it is essential for the facilitator to remain objective during the discussion, and treat the cyber security incident as
a learning point for all involved, without attributing blame to an individual or team.

Conclusion

At the end of the hot debrief, the facilitator should provide a summary of the discussions to participants who can
confirm whether the key issues and actions were captured. The facilitator should explain the next steps and the
expected timeframes for these.

Formal debrief guidance

Time

1–2 hours.

Aim

The aim of the formal debrief is to review the cyber security incident, validate what worked, and produce actions and
assigned responsibilities to improve current arrangements.

Participants

The formal debrief should be led by a facilitator who asks key questions, supported by a scribe to document
attendance, key insights and actions.

It is recommended that formal debrief participants include:

Cyber Security Incident Response Planning: Practitioner Guide 37

  technical personnel who were involved in detecting, responding to and resolving the cyber security incident

 non-technical personnel who were involved during the cyber security incident

 communications/media personnel involved in the cyber security incident.

Content

Questions to consider in the formal debrief can be found in the Post Cyber Security Incident Review Analysis
Template. The facilitator can use this guidance to lead the conversation with the participants while the scribe
documents the discussion directly into the template. The scribe can also use the Action Register Template to
document any actions resulting from the discussion.

Conclusion

At the end of the debrief, a decision should be made about whether additional discussions are required, or if
finalisation of the cyber security incident documentation can be completed. If email correspondence is selected to
disseminate the documentation, an action officer will need to be identified for completing them and circulating them
to staff for endorsement.

Step 2 – Complete cyber security incident documentation

Based on the findings of the debriefs, the action officer should complete a draft of the Post Cyber Security Incident
Review Analysis and the Action Register and circulate them to the personnel involved in the debrief for their feedback
and endorsement. Note, it is important that the Action Register details an assigned lead (action officer) for closing out
each action.

Once feedback is received and incorporated, documentation should be sent to an executive staff member (e.g. a Chief
Executive Officer or General Manager) for endorsement. The executive staff member may advise their expectations on
the frequency of progress reporting of agreed actions and nominate a person to lead tracking and reporting.

Step 3 – Cyber security incident tracking and reporting

The identified actions should be tracked and reported at agreed frequencies.

Post Cyber Security Incident Review Analysis Template

CYBER SECURITY INCIDENT SUMMARY

Cyber security incident

name

Date of cyber security dd/mm/yyyy

incident

Cyber security incident Low/Medium/High

priority Established from the impact and/or risk to the business.

Time cyber security

incident occurred

Cyber Security Incident Response Planning: Practitioner Guide 38

 Time cyber security
incident was resolved

Cyber security incident type

Personnel involved Names of the individuals involved in resolving the cyber security incident and their
functions(s), including any service providers.

Cyber security incident What impact did the cyber security incident have (e.g. loss of systems, services or
impact networks).

Brief summary What happened?

Cyber security incident analysis

Cyber security incident analysis is broken into the following categories:

 Timeline: Summary of what happened and when. Provides high level areas for improvement.

 Protection: Identifies the control mechanisms that were in place at the time of the cyber security incident and
their effectiveness. Establishes how to improve the protection of systems, services and networks.

 Detection: Establishes how to reduce the time to identify a cyber security incident. Addresses what detection
mechanisms were in place and how those mechanisms could be improved.

 Response: Identifies improvements for the cyber security incident response.

 Recovery: Addresses improvements for cyber security incident recovery.

TIMELINE

Date and time of detection

When was the cyber security When did the organisation identify that a cyber security incident was occurring?
incident acknowledged?

Date and time of cyber

security incident response

Date and time of cyber

security incident recovery

Who discovered the cyber Or who was alerted to it first? How did the discovery or alert happen?
security incident first and
how?

Was the cyber security For example, did the organisation report it to ASD or the OAIC?
incident reported externally?
If yes, when?

Cyber Security Incident Response Planning: Practitioner Guide 39

 Who supported resolving the List the names of personnel involved in resolving the cyber security incident and the
cyber security incident? time (and date if not all on the same day) they joined in.
When did they provide
support?

What activities were It is easier to do this in a list. For example: Time > Task > Impact.
conducted to resolved the
cyber security incident?
When were they conducted
and what was their impact?

PROPOSED ACTIONS Detail any resulting actions that can be incorporated into the Action Register.
Brief description of action > Proposed Action Officer.

PROTECTION

What controls were in place

that were expected to stop a
cyber security incident similar
to this?

How effective were those Did they work? Why/why not?

controls? How could they be improved?

Are there other controls What are they?

considered better for
protecting against a similar
cyber security incident?

What business processes and

procedures were in place to
prevent this type of cyber
security incident from
occurring?

How effective were those Did they work? Why/why not?

business processes and How could they be improved?
procedures?

Any other findings and/or See the PPOSTTE model for guidance.
suggestions for
improvement?

PROPOSED ACTIONS Detail any resulting actions that can be incorporated into the Action Register.
Brief description of action > Proposed Action Officer.

DETECTION

Cyber Security Incident Response Planning: Practitioner Guide 40

 How was the cyber security How did the organisation know a cyber security incident was happening?
incident detected?

What controls were in place

to detect the cyber security
incident?

Were those controls Did they work? Why/why not?

effective? How could they be improved?

Are there any ways to How could the organisation reduce that time?
improve the ‘time to
detection’?

Are there any indicators that

can be used to detect similar
cyber security incidents in the
future?

Are there any additional tools Is there anything from a detection perspective that would help mitigate future
or resources that are cyber security incidents?
required in the future to
detect similar cyber security
incidents?

Any other findings and/or What activities worked well? What activities did not work so well? What could be
suggestions for changed with hindsight?
improvement? See the PPOSTTE model for guidance.

PROPOSED ACTIONS Detail any resulting actions that can be incorporated into the Action Register.
Brief description of action > Proposed Action Officer.

RESPONSE

What was the cause of the

cyber security incident?

How was the cyber security What needed to happen for the cyber security incident to be resolved?
incident resolved?

What obstacles were faced

when responding to the
cyber security incident?

Were any business processes For example, does the organisation have a CSIRP, and was this followed?
and procedures used in
responding to the cyber
security incident?

Cyber Security Incident Response Planning: Practitioner Guide 41

 Were those business Did they work? Why/why not?
processes and procedures
effective?

What delays and obstacles

were experienced when
responding?

Were there any escalation Were there any escalation points that the cyber security incident went through?
points?

If there were escalation For example, having to escalate to a Chief Operating Officer to take action on an
points, did they hamper the ongoing cyber security incident had severe timeline impacts for the response.
response or were they at the
appropriate level?

How well did the information What worked well/what did not work well? How could it be improved?
sharing and communications Was there any information that was needed sooner?
work within your
How did the organisation communicate within the IR team, across jurisdictions,
organisation?
across time zones, legal teams and external comms teams?

Were there any media If yes, how did the organisation respond?
enquiries received during the
cyber security incident?

Was media produced during If yes, what was the media that was produced?
the cyber security incident?

Were stakeholders and/or Why/why not? When? How?

customers notified during the Was it effective? How could it be improved?
cyber security incident?

Were trained personnel Are there any personnel knowledge and/or skills gaps? What are they?
available to respond? Were there enough resources available to respond?

Any other findings and/or See the PPOSTTE model for guidance.
suggestions for
improvement?

PROPOSED ACTIONS Detail any resulting actions that can be incorporated into the Action Register.
Brief description of action > Proposed Action Officer.

RECOVERY

How long did it take for all

systems, services and
networks to recover?

Cyber Security Incident Response Planning: Practitioner Guide 42

 How could this time be For example, how could the recovery time be reduced?
improved?

Are there any obligations to If yes, to who?

report externally about the
cyber security incident?

Were there any media If yes, how did the organisation respond?
enquiries after the cyber
security incident?

Were stakeholders and/or Why/why not? When? How?

customers notified following Was it effective? How could it be improved?
the cyber security incident?

Any other findings and/or See the PPOSTTE model for guidance.
suggestions for
improvement?

PROPOSED ACTIONS Detail any resulting actions that can be incorporated into the Action Register.
Brief description of action > Proposed Action Officer.

Cyber Security Incident Response Planning: Practitioner Guide 43

Appendix I – Action Register Template
ID Action Action Officer Date Expected Status Updates Comments
to Completed

01 Describe the action in detail. Name of the Date the action Complete Insert date, and any updates Any relevant information relating to
person who will is expected to In progress to progressing the action. closing out the action.
be leading the be completed. Detail any blockers here.
Not yet started
action.

Cyber Security Incident Response Planning: Practitioner Guide 44

Appendix J – Role cards
Example of a role card:

Cyber Security Incident Response Planning: Practitioner Guide 45

Appendix K – ASD Cyber Security Incident
Categorisation Matrix
ASD categorises cyber security incidents by severity using a matrix that considers the:

 cyber effect (i.e. the impact, success, sustained and/or intent)

 significance (i.e. sensitivity of the organisation).

The severity of the cyber security incident informs the type and nature of cyber security incident response and crisis
management arrangements that are activated. Depending on the severity of the cyber security incident, ASD has a
suite of capabilities that it may deploy to support the affected parties. However, ASD determines which capabilities
are appropriate and available given competing priorities. Organisations must not rely on ASD for their ability to
respond to cyber security incidents in an appropriate and timely manner.

Cyber Security Incident Response Planning: Practitioner Guide 46

Disclaimer

The material in this guide is of a general nature and should not be regarded as legal advice or relied on for assistance
in any particular circumstance or emergency situation. In any important matter, you should seek appropriate
independent professional advice in relation to your own circumstances.

The Commonwealth accepts no responsibility or liability for any damage, loss or expense incurred as a result of the
reliance on information contained in this guide.

Copyright

© Commonwealth of Australia 2024.

With the exception of the Coat of Arms, the Australian Signals Directorate logo and where otherwise stated, all
material presented in this publication is provided under a Creative Commons Attribution 4.0 International licence
(www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code
for the CC BY 4.0 licence (www.creativecommons.org/licenses).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the Department of the Prime Minister and
Cabinet website (www.pmc.gov.au/government/commonwealth-coat-arms).

For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371)