Why does the template ask for worst-case and best-case scenarios?
Imagine this. You see an administrator account on your file server that shouldn’t exist. The best case scenario is that the hacker somehow got access to the file server without touching any other system in your entire network. Best case, they just looked at a few things then decided to log off, eat some twinkies, and change careers to become a priest. Probably not. But maybe.
The worst case scenario is that every system on your entire network has been breached, fully exported, and your identity is already for sale on the black market for $0.05. And the criminal is using your web servers to host child porn. Probably not. But maybe.
At the beginning of an incident, no one knows how bad it is except for the attacker. It can take months or years of specialized investigation and forensics to identify the full damage and method. Or you might never get the full story.
In other words, no pressure. Take your best guess, mark the time and date, then update it as you learn more. Be conservative on the worst-case scenario. If you see evidence that a system is compromised, or that an account had access to it, then yes put it into the worst case estimate. But if you don’t see any evidence of breach, then hold off for now. I recommend this because your company might be sued or go to court, and you really don’t want to give the prosecution more ammunition to use against your company if there is no evidence to support it.
The template needs this information so that your managers, investigators, and the courts can see the progression of information over time. They can see that your organization escalated and notified appropriately depending on what you knew at the time.
I hope you found this article useful!
Please comment with your favorite scenario or to add missing questions to the incident reporting template!
Kieri Solutions performs consulting on cyber-security policy, business continuity, and disaster recovery. We love performing high availability and virtualization projects because these technologies make businesses more resilient. Kieri Solutions is located in Maryland, USA. Please email us at email@example.com if you want assistance or training on these topics!
Copyright Kieri Solutions LLC 2018