Building an incident report

In order to document and respond to network incidents you will need to thoroughly record the details of the problem. Documentation is necessary in order to present the activity to management, and, indeed, will be required should your enterprise decide to proceed legally against the parties responsible. Almost as bad as the incident having happened is the feeling that you have missed some crucial piece of evidence that could help track down and convict the culprit, or, worse, leave your systems open to another attack. The following is a list of essential information to be collected:

  1. Who completed the form and how he can be contacted.
  2. What is the incident being reported: equipment failure, software failure, or a security issue like intrusion, inside security breech, denial of service, virus, Trojan, worm, or something else.
  3. What data was compromised and when. Describe the level of access achieved in the incident.
  4. What equipment or software was compromised? What actions are necessary to remedy the situation.
  5. How was the incident first detected: software or audit logs, user query, external factor.
  6. What symptoms are noticed and how do they affect business operations and systems. Describe specific OS, hardware, applications, IP address, user and group, and other factors affected.
  7. Are the affected systems still online; are they backed up, and can they still be attacked.
  8. Is this incident actionable, and what is required to create the necessary

    Requires Free Membership to View

    Login

  1. documentation for forensics.

A checklist can be very useful, and when complete should be printed, signed and dated not only by the author but by an agreed upon chain of command.

Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.


This was first published in January 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top