Incident Reporting
Document security events as they occur with proper detail
Incident Reporting
The first 24 hours of an incident are critical. Proper initial reporting sets the stage for effective response.
When to Report
Report security events immediately when you discover:
- Unauthorized access: Suspicious logins, compromised credentials, privilege escalation
- Data exposure: Potential data leaks, misconfigured storage, exposed databases
- System compromise: Malware detection, ransomware, command-and-control activity
- Availability issues: DDoS attacks, service outages, system failures
- Policy violations: Employee actions breaching security policies
- Physical security: Unauthorized facility access, theft, tampering
When in doubt, report it. False positives are better than missed incidents.
[Screenshot: Incident Report Form] Placeholder: Initial incident report with key fields
Initial Report Contents
Document the essentials immediately:
- What happened: Clear description of the event
- When discovered: Timestamp of initial detection
- Who discovered: Person or system that detected the incident
- Affected systems: Assets, applications, or data involved
- Immediate actions: What you've already done to contain it
- Severity assessment: Initial estimate of impact (will be refined)
Severity Levels
Choose appropriate severity:
- Low: Minor policy violation, limited impact, no data exposure
- Medium: Affects single system, potential data exposure, business disruption possible
- High: Multiple systems affected, confirmed data exposure, significant business impact
- Critical: Widespread compromise, major data breach, severe business impact, regulatory reporting required
[Screenshot: Severity Selection] Placeholder: Severity level picker with guidance
Who to Notify
Incident severity determines notification:
- Low: Assigned incident handler only
- Medium: Incident handler + IT manager
- High: Crisis management team + executive stakeholders
- Critical: Full crisis response team + board notification
Incident ID and Tracking
Each incident receives:
- Unique ID: For referencing across communications
- Status tracking: New → In Progress → Resolved → Report Completed
- Timeline: Auto-logged timestamp of all status changes
- Update log: Running record of investigation progress
[Screenshot: Incident Tracking] Placeholder: Incident detail view with timeline
Next Steps
After reporting:
- Alert crisis management team if severity warrants
- Begin investigation and documentation
- Link to Security Incidents workflow for full response process