Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Preparing for and Responding to Cyber Security Incidents

This publication provides guidance on how organisations can prepare themselves for a cyber security incident. In addition, it provides guidance on the types of cyber security incidents that should be reported to the Australian Cyber Security Centre (ACSC) and how this can be done.

 First published 2012; updated 2018; reformatted January 2019

Introduction

The Australian Cyber Security Centre (ACSC) is responsible for monitoring and responding to cyber threats targeting Australian interests. Cyber threats can result in the denial of access to, the theft of, or the destruction of information and systems. In addition to the damage done to Australia’s economic wellbeing as a result of such cyber security incidents, they can undermine public confidence in organisations and consume significant resources to respond to.

The ACSC’s Cyber Security Incident Reporting (CSIR) scheme can help organisations respond to cyber security incidents. Reporting cyber security incidents ensures that the ACSC can provide timely assistance. This may be in the form of investigations, analysis and/or remediation advice.

How prepared are you to respond?

Organisations should ask themselves the following questions to determine how prepared they are to respond to cyber security incidents:

  • Have we identified systems and information critical to our business operations?
  • Do we have business continuity and disaster recovery plans?
  • Do we have an up-to-date and regularly tested incident response plan?
  • Do our agreements with service providers include incident reporting and response activities?
  • Do we have the ability to detect when cyber security incidents may have occurred?
  • How easily and quickly can we access appropriate resources to respond to cyber security incidents?
  • What are our legislative obligations in regards to reporting cyber security incidents?
  • Who has the primary responsibility for incident reporting, and do we have standard operating procedures in place?

When should I report a cyber security incident?

A cyber security incident is a single or series of unwanted or unexpected events that have a significant probability of compromising an organisation’s business operations. Cyber security incidents can impact the confidentiality, integrity or availability of a system and the information that it stores, processes or communicates.

The types of cyber security incidents that should be reported to the ACSC include:

  • suspicious system and network activities
  • compromise of sensitive information
  • unauthorised access or attempts to access a system
  • emails with suspicious attachments or links
  • denial-of-service attacks
  • suspected tampering of electronic devices.

The following are examples of suspicious system and network activities:

  • domain administrator accounts being locked out due to failed authentication attempts
  • unusual authentication events on remote access systems such as users being logged in from local workstations and a VPN simultaneously or a number of log-in attempts from geographically disparate or overseas locations within a short timeframe
  • service accounts communicating with internet-based infrastructure.

How do I report a cyber security incident?

Organisations are encouraged to submit incident reports via the ACSC website.

Once an incident report is submitted to the ACSC, it is recorded and triaged. At this time the priority and extent of assistance that is necessary to respond to the cyber security incident is determined.

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.

The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

Date
January 3rd, 2019