Preparing for and Responding to Cyber Security Incidents

Download ACSC Protect: Preparing For and Responding To Cyber Security Incidents (PDF), September 2012
First published September 2012


  1. Cyber security incidents can include denying, disrupting or stealing of information on ICT systems. In addition to the damage done to Australia's economic wellbeing and thereby to all Australian citizens, such compromises damage the reputation of affected organisations, undermine public confidence in the Australian government and unnecessarily consume scarce money and staff resources to continually clean up compromises. Agencies should assess the value of information stored on their networks and apply security measures commensurate to the risk.
  2. Cyber security incidents affecting government networks can be costly to agencies, consuming money and staff resources. In particular, agencies can be impacted through:
    1. service unavailability and lost productivity
    2. damage to agency reputation and trust
    3. lost or stolen information that could harm Australia's economic wellbeing, national security or the privacy of Australian people
    4. staff time and costs associated with restoring systems to a trusted state.
  3. It is imperative that cyber security incidents are reported and resolved in an efficient and timely manner. The severity, scope, amount of damage and therefore cost of a cyber security incident increases with every hour it remains unresolved. The following advice will enable quicker response to a cyber security incident.
  4. While responding to cyber security incidents quickly is important, agencies can implement strong mitigations to prevent incidents occurring in the first place and enable rapid detection. DSD's Strategies to Mitigate Targeted Cyber Intrusions document provides guidance in this area. DSD's Cyber Security Operations Centre (CSOC) provides government with a better understanding of sophisticated cyber threats and coordinates operational responses to cyber events of national importance across government systems.
  5. This document assists senior managers assess their preparedness of their agencies to respond to cyber security incidents.

Questions for senior management to ask their IT security team

  1. Senior managers should ask the following questions to determine how well their agency is positioned to respond to a cyber security incident.
    1. What are our legislative requirements and obligations for incident reporting?
    2. Who has primary responsibility for incident response in our agency?
    3. Are procedures in place to provide information and reporting to relevant parties during an incident? Is the IT Security Advisor familiar with the Cyber Security Incident Reporting process to the CSOC?
      Planning and preparation
    4. Do we have a business continuity plan and disaster recovery plan and have these plans been regularly tested?
    5. Do we have an up-to-date and regularly tested incident response plan?
    6. Do we have up-to-date documentation such as System Security Plans and Standard Operating Procedures?
    7. Do our agreements with contracted IT service providers have arrangements in place for incident response?
    8. Have we identified our critical systems?
    9. Do we have monitoring in place to assess our environment for cyber security threats?
    10. Do we have processes in place to detect when an incident may have occurred?
    11. How easily and quickly can we access resources key to mitigating an incident? (For example, system managers, technical experts, Internet Service Provider, system logs and physical system infrastructure.)
    12. Do we have an up-to-date after-hours contact list for key personnel and external stakeholders?
    13. Do we have the ability to identify and isolate an affected workstation or system?

Preparing for and responding to cyber security incidents

  1. An agency should asses their readiness to respond to a cyber security incident and their ability to provide adequate data to the CSOC if required. This document will help an agency assess their response capabilities and enable quicker response.
  2. An agency should maintain awareness of the cyber threat environment to assist in implementing appropriate mitigation strategies. Engaging with DSD for information on cyber security and the current threat environment can help agencies plan for cyber security incident response. Maintaining a current security risk management plan for information security systems is imperative. The aim of the security risk management plan is to reduce the overall risk to agency information systems. The plan should include:
    1. evaluating key assets and information
    2. identifying assessed risks to those assets
    3. performing a cost-benefit analysis for implementing potential risk mitigation strategies
    4. the risk treatments implemented.
  3. Ensuring agency IT Security Advisors have well documented incident response procedures can save time, money and staff resources. This will ensure incidents can be contained and mitigated quickly.
  4. Early reporting of cyber security incidents to CSOC via a Cyber Security Incident Report form (available from DSD's website) will enable faster CSOC triage, mitigation and containment of the threat if required.

Further information

  1. The Australian Government Information Security Manual assists in the protection of official government information that is processed, stored or communicated by Australian Government systems.
  2. DSD’s Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.
  3. The Cyber Security Incident Report form is available from the DSD website and the OnSecure government information security portal.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).