Enhanced Cyber Security Obligations –
Incident Response Planning
| 15
Criterion IR.4: Identify investigation and remediation procedures
Outcome
Once an incident has been identified, a good IRP details the initial steps that should be taken to
investigate the nature and extent of the incident. The IRP may also detail the remediation
capabilities and activities that a responsible entity would undertake if systems were affected.
An effective IRP outlines what activities should be undertaken in response to specific developments
in the ongoing cyber incident. This would ensure that defenders are responding to developments in
the most efficient and effective manner possible. These steps should be detailed enough that
defenders can simply follow the instructions as they are written. Incomplete or unclear IRP
instructions will cause confusion and degrade the defender’s response during an incident.
The IRP will not only be used by cyber security staff in the event of a cyber security incident. The
IRP will include or link to procedures for system restoration and the mitigation of system outages.
Given the detail required for such procedures, it is likely that these procedures will be separate
technical documents.
IRPs will not necessarily provide complete coverage of longer term final resolution activity nor
follow-up remediation work which may be required to remove malicious actors from a network. A
responsible entity should contemplate, to the extent possible, potential remediation and prevention
activity in the aftermath of an incident. The Department may engage with entities regarding how
they address these considerations in their IRPs and provide further advice if necessary.
The responsible entity’s IRP should ensure that it has relevant activities for its own circumstances.
However, as a baseline, entities’ IRPs should include actions for ensuring the physical safety of the
responsible entity’s staff and others, maximise service uptime during and immediately following the
incident, and outline post-incident actions to ensure system security and prevent future incidents.
Does the IRP provide
procedures to ensure
the availability of SoNS’
systems and/or
mitigate immediate
service outages?
(Critical)
All critical components of the SoNS
asset(s) have been identified and
addressed within the Risk Register
(or similar), and have a procedure
for outage mitigation in place,
including system segregation and
down where possible.
AND
Guidance for locating further
information for all system
availability procedures is supplied
in the IRP.
More than 50% of the critical
components of the SoNS asset(s)
have been identified and
addressed within the Risk Register
(or similar), and have a procedure
for outage mitigation in place.
AND
System availability procedures are
mentioned in the IRP and cover all
SoNS.
Less than 50% of the critical
components of the SoNS asset(s)
have been identified and
addressed within the Risk Register
(or similar), and have a procedure
for outage mitigation in place.
System availability procedures are
not mentioned in the IRP.
Does the IRP contain
level procedures to
investigate the cause
and methodology of the
cyber security incident?
(Critical)
The IRP outlines all high-level
requirements for investigation
during a cyber security incident,
including:
Assignment of responsibility to
a team for investigation
Allocation of time specifically
to investigate and gather
evidence
An escalation point to an
external Incident Response
provider if necessary
Reporting requirements for
results of the investigation.
The IRP contains a high-level
inclusion of investigative action
requirements within the cyber
security incident response phases,
including:
Assignment of responsibility to
a team for investigation
Allocation of time specifically
to investigate and gather
evidence
An escalation point to an
external Incident Response
provider if necessary
Reporting requirements for
results of the investigation.
Investigate actions are not outlined
in the IRP.
Reporting of investigative results is
not required in the IRP.