Cyber Security Incident Reporting

Download ASD Protect Cyber Security Incident Reporting (PDF), January 2018
First published January 2018

Introduction

  1. The Australian Cyber Security Centre (ACSC) is responsible for monitoring and responding to sophisticated cyber threats targeting Australian interests. The ACSC’s Cyber Security Incident Reporting (CSIR) scheme assists with this role.
  2. Reporting cyber security incidents to the ACSC ensures that the ACSC can provide timely assistance tailored to specific incidents. This may be in the form of investigations, analysis and/or remediation advice.

When should I report a cyber security incident?

  1. A cyber security incident is a single or series of unwanted or unexpected events that have a significant probability of compromising an organisation’s business operations. Cyber security incidents can impact the confidentiality, integrity or availability of a system and the information that it stores, processes or communicates.
  2. The types of cyber security incidents that should be reported to the ACSC include:
    1. suspicious system and network activities
    2. compromise of sensitive information
    3. unauthorised access or attempts to access a system
    4. emails with suspicious attachments or links
    5. denial of service attacks
    6. suspected tampering of electronic devices.
  3. The following are examples of suspicious system and network activities:
    1. domain administrator accounts being locked out due to failed authentication attempts
    2. unusual authentication events on remote access systems such as users being logged in from local workstations and a VPN simultaneously or a number of log-in attempts from geographically disparate or overseas locations within a short timeframe
    3. service accounts communicating with internet-based infrastructure.

How do I report a cyber security incident?

  1. Cyber security incidents should be reported to the ACSC via an organisation’s Information Technology Security Adviser (ITSA) or equivalent information security manager.
  2. Organisations are encouraged to submit incident reports via the ACSC website.
  3. Once an incident report is submitted to the ACSC, it is recorded and triaged. At this time the priority and extent of assistance that is necessary to respond to the cyber security incident is determined.

Further information

  1. This document complements the advice in the Cyber Security Incidents chapter of the Australian Government Information Security Manual (ISM).
  2. Further information on preparing to respond to cyber security incidents can be found in ASD’s Preparing for and Responding to Cyber Security Incidents.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.