Cyber Security Incident Response Procedures

1. Scope of these procedures

Definition of Incident 

An adverse event that might cause disruption, loss or emergency, but which does not meet the organization’s criteria for, or definition of, a crisis”  

Incident vs Crisis 

The Crisis Management Plan defines a “crisis” as “an event that significantly disrupts normal operations, has caused or is likely to cause severe distress or have severe consequences for individual staff or organisations, and requires out of ordinary measures to restore order and normality, thus demanding immediate action from senior management.” 

A crisis requires significant and structured senior management response; attempts to manage a crisis as an incident can introduce a delay before the crisis is given meaningful strategic attention.

An incident does not have wider implications for the organisation as a whole and is, therefore, managed by regular AADF management structures, with additional support from service providers (IT, security). These Cyber Security Incident Response Procedures provide some principles and process to the management of incidents. 

An Incident could include:

  • A non-compliance incident resulting in material loss to AADF, e.g. data breach
  • A cyber attack

An Incident could become a Crisis if:  

  • AADF suffers a major cyber-attack and/or significant or repeated incidents of attempted interference in AADF’s affairs by a hostile state actor
  • Major legal or regulatory action against AADF, including fines

2. Reporting Incidents

AADF staff are expected to report all Incidents, which are actual, suspected, or potential cyber threats or harm related to AADF people, premises, assets, and/or event or activity participants.

An initial notification can be made informally, via email, telephone or any other means. The AADF telephone is +355 or notifications can be made to or directly to the Admin Officer (+355) or Compliance and Control Officer.

This notification should be followed up, as soon as reasonably practicable, by a more formal documented report in the form of an incident report form(see below):

3. Incident Response – management

For any Incident, the Admin Officer and Compliance and Control Officer will consult and agree, if appropriate, to convene an ad hoc Incident Response Group to manage AADF’s response to the Incident. In such a case, the Admin Officer and Compliance and Control Officer will agree on the membership of the Response Group, which may draw on some members of AADF’s outsourced network support provider. Admin Officer will act as Chair of the Response Group, supported by the Compliance and Control Officer. Other members will be tasked with roles aligned to their job duties.

If an Incident Response Group is established, a Team should be established on MS Outlook or via WhatsApp to facilitate real-time communication and document sharing. The Incident Response Group should be convened regularly, by the Coordinator, at least once per day at the outset, reducing as appropriate over time, until the Incident can be considered closed.

4. Incident response – practical steps

(i) Complete a situational analysis

What Happened?

  • Type of Incident?
  • Who Involved?
  • When?
  • Where?
  • Verified Information (and from whom)?
  • Unverified Information (and from whom)?
  • Actions Taken?

How bad is it?

  • Is there an on-going threat?
  • Who is directly involved?
  • Who is indirectly affected?
  • Are assets or network integrity damaged?
  • Has confidential information or intellectual property been lost?
  • How is it affecting other operations?
  • Are there external people involved? Could they be affected? Do they need to be informed?
  • Is the media involved?
  • What other foreseeable problems could arise?
  • What is being done to mitigate these?

Who is Doing What?

  • Who is dealing with affected staff? Other staff?
  • Who is dealing with partner agencies?
  • Who is dealing with external agencies? Police, prosecutors etc.?
  • Who is dealing with other interested parties? NGOs, IOs etc.
  • Who is dealing with the media?

(ii) Develop and agree a quick and simple Response Action Plan and a Comms Plan

(iii) Retain advisers as appropriate, as soon as possible. No procurement process is required in the circumstances. Any costs may be approved and met from the Ops / Security Budget.

(iv) Take action 

(v) Monitor actions via a log-book / progress tracker

5. Post Incident Review

After an Incident has been reported and dealt with, the Head of Operations and Director of Operations should commission a process of analysing the incident in order to learn from it and seek to make appropriate adjustments. Incident reviews may expose gaps in security procedures or may expose changes in the security environment.

Areas to review include:

Motives and behaviour:

  • What are the motives of the perpetrators of the incident?
  • What may have triggered the actions of the perpetrators? Are any these within AADF’s control to alter?

Targeting:

  • Are there any indications that the incident was just in case, or was AADF directly targeted?

Patterns:

  • Are there any emerging patterns in the locations, timings, targets or victims of incidents?
  • What do these patterns reveal about the overall cyber security situation in this context?

Effectiveness of security procedures:

  • What cyber security measures were in place?
  • Were they appropriate?
  • Were they observed?
  • How can they be improved?

Ultimately, the aim of such questions is to find out what actions, processes, etc are within AADF’s control and then make appropriate adjustment