Lesson 4 - Responding to a Suspected Cyber Incident

Golden rule: Speed, structure, and transparency.

The longer an incident goes uncontained, the higher the financial, legal and reputational cost.

You now understand why cyber security matters and what the main threats look like.

Let’s equips you with a practical, step-by-step playbook—adapted from the IIP Cyber Incident Response Plan—so you know exactly what to do the moment you suspect something is wrong.

By the end of this module, you will be able to:

Distinguish between a cyber event and a cyber incident.
Recall the five NIST-aligned response phases used at IIP.
Execute the “first-15-minutes” containment checklist for advisers.
Explain when and how to escalate to the Incident Management Team (IMT).
Log evidence and complete the Situation Update & Incident Log templates.

Key definitions

Cyber event: Suspicious activity that could become an incident (e.g., repeated failed log-ins).
Cyber incident: Confirmed breach of security policy threatening confidentiality, integrity or availability (e.g., ransomware, data leak)

The Incident-Response Lifecycle

  
      Phase
      Your goal
      Core actions (abridged)
    
      1. Detect & Analyse
      Confirm “event” vs “incident”.
      Check alerts, logs, unusual traffic; look for indicators such as lock-outs or phishing complaints.
    
      2. Contain & Eradicate
      Stop the bleed.
      Remove infected device from network, capture logs, isolate systems (see ransomware/malware playbook).
    
      3. Communications & Engagement
      Keep stakeholders informed.
      Activate IMT; draft internal & external messages; notify regulators/clients if required.
    
      4. Recover
      Restore normal operations.
      Execute recovery plan: rebuild systems, monitor, patch vulnerabilities.
    
      5. Learn & Improve
      Prevent repeat incidents.
      Conduct post-incident review, update procedures, share lessons.

Phase	Your goal	Core actions (abridged)
1. Detect & Analyse	Confirm “event” vs “incident”.	Check alerts, logs, unusual traffic; look for indicators such as lock-outs or phishing complaints.
2. Contain & Eradicate	Stop the bleed.	Remove infected device from network, capture logs, isolate systems (see ransomware/malware playbook).
3. Communications & Engagement	Keep stakeholders informed.	Activate IMT; draft internal & external messages; notify regulators/clients if required.
4. Recover	Restore normal operations.	Execute recovery plan: rebuild systems, monitor, patch vulnerabilities.
5. Learn & Improve	Prevent repeat incidents.	Conduct post-incident review, update procedures, share lessons.

Quick-Reference Checklist (first 10 steps)

Follow a standardised action list—memorise steps 1-4; know where to find the rest:

Verify the incident: gather evidence within one hour.
Assess scope, impact and severity; classify the incident.
Activate the IMT (and SEMT for major cases); start documentation.
Draft a Resolution Action Plan covering containment, eradication and recovery.
(Steps 5-10 cover stakeholder mapping, notifications, service restoration, stand-down and post-mortem)

Your first-15-minutes adviser checklist

  
      ✅ Action
      Why
    
      Disconnect compromised device from all networks.
      Limits lateral movement.
    
      Call IIP Service Desk immediately and flag “Potential Cyber Incident – Priority 1”.
      Triggers IMT pager.
    
      Preserve evidence: take photos of error screens, note timestamps, keep suspicious emails.
      Supports forensics & insurance claims.
    
      Do NOT delete files, reboot devices, or engage attackers.
      Could destroy evidence or alert threat actor.
    
      Start a Situation Update entry (template on SharePoint).
      Creates a time-stamped audit trail.

✅ Action	Why
Disconnect compromised device from all networks.	Limits lateral movement.
Call IIP Service Desk immediately and flag “Potential Cyber Incident – Priority 1”.	Triggers IMT pager.
Preserve evidence: take photos of error screens, note timestamps, keep suspicious emails.	Supports forensics & insurance claims.
Do NOT delete files, reboot devices, or engage attackers.	Could destroy evidence or alert threat actor.
Start a Situation Update entry (template on SharePoint).	Creates a time-stamped audit trail.

Escalation pathways

Minor incidents (Impact Level 1): Call Service Desk; they may resolve without full IMT activation.
Significant incidents (Levels 2-3) & data breaches: IMT must be convened; Legal and Communications join automatically.
Cyber Emergency (Levels 4-5): SEMT Chair (CEO) takes command; notify ASIC and OAIC within 72 hours if personal data is involved.

Roles you’ll interact with

Incident Manager (usually the IT Security Manager) coordinates technical response.
Legal Advisor handles regulatory notifications and cyber-insurance claims.
Comms & Media Advisor crafts client/regulator updates to maintain trust.

As an adviser, your main job is early detection, containment and accurate reporting.

Hands-on practice

In the sandbox environment, you will receive three simulated alerts (phishing email, rogue log-in, ransomware screen).
Follow the checklist, complete a Situation Update and an Incident Log entry, then upload both to the LMS.

Key takeaways

Time is critical: aim to confirm and contain within 15 minutes of discovery.
Use the five-phase lifecycle and 10-step checklist to stay on track.
Accurate logs and evidence preservation protect you, your clients and IIP.
Learning doesn’t stop at recovery—feed insights back into policy and training.

Accessing The IIP Cyber Incident Response Plan

You can access the IIP Cyber Incident Response Plan from the Templates Register in the Compliance Hub