This Security Incident Report (the “Report”) is created for [Company Name] on [Report Date].
1. Incident Identification
1.1 Incident ID. [Incident ID].
1.2 Incident Title. [Short descriptive title].
1.3 Severity Level. ☐ SEV-1 (Critical) ☐ SEV-2 (High) ☐ SEV-3 (Moderate) ☐ SEV-4 (Low).
1.4 Incident Type.
☐ Phishing/Social engineering
☐ Malware/Ransomware
☐ Unauthorized access
☐ Data exposure/leak
☐ Denial of service
☐ Insider threat
☐ Misconfiguration
☐ Lost/stolen device
☐ Third-party/vendor incident
☐ Other: [Describe]
2. Discovery and Timeline
2.1 Detected/Reported By. [Name/Role].
2.2 Detection Method. ☐ Alert/monitoring ☐ User report ☐ Vendor notice ☐ Audit finding ☐ Other: [Method].
2.3 Date/Time Discovered. [Date/Time] (timezone: [TZ]).
2.4 Estimated Start Time (If Known). [Date/Time].
2.5 Date/Time Contained (If Known). [Date/Time].
2.6 Date/Time Resolved (If Known). [Date/Time].
2.7 Incident Summary (Initial). [Brief summary of what was observed].
3. Affected Systems and Accounts
3.1 Systems/Services Impacted. [List systems, apps, cloud accounts, endpoints].
3.2 Network/Environment. ☐ Production ☐ Staging ☐ Internal IT ☐ Cloud ☐ Other: [Environment].
3.3 Accounts Impacted. [Usernames/emails/roles if applicable].
3.4 Third-Party Involvement. ☐ None ☐ Vendor/service: [Name] ☐ Unknown (investigating).
4. Data Impact Assessment
4.1 Data Types Potentially Affected.
☐ Credentials
☐ Customer personal data
☐ Employee personal data
☐ Payment data
☐ Health data
☐ Financial records
☐ Intellectual property
☐ Confidential business information
☐ Other: [Describe]
4.2 Estimated Number of Records/Individuals. [Estimate].
4.3 Encryption Status.
☐ Data encrypted at rest
☐ Data encrypted in transit
☐ Encryption unknown
Details: [Key management and exposure notes].
4.4 Evidence of Exfiltration. ☐ Yes ☐ No ☐ Unknown.
If yes/unknown, describe indicators: [Logs/alerts].
5.1 Actions Taken.
-
[Action and timestamp]
-
[Action and timestamp]
-
[Action and timestamp]
5.2 Access Revoked/Rotated.
☐ Password resets
☐ MFA enforced
☐ API keys rotated
☐ Tokens revoked
☐ Certificates rotated
☐ Other: [Actions]
5.3 Systems Isolated. ☐ Yes ☐ No. If yes, how: [Details].
5.4 Backups/Recovery Steps. [If applicable].
[Action and timestamp]
[Action and timestamp]
5.2 Access Revoked/Rotated.
☐ Password resets
☐ MFA enforced
☐ API keys rotated
☐ Tokens revoked
☐ Certificates rotated
☐ Other: [Actions]
5.3 Systems Isolated. ☐ Yes ☐ No. If yes, how: [Details].
5.4 Backups/Recovery Steps. [If applicable].
6. Investigation Findings
6.1 Root Cause (If Known). [Phishing, vulnerability, misconfig, insider, etc.].
6.2 Attack Vector/Entry Point. [Details].
6.3 Timeline of Key Events.
-
[Date/time] – [Event]
-
[Date/time] – [Event]
-
[Date/time] – [Event]
6.4 Indicators of Compromise (IOCs). [IPs, domains, hashes, user agents, etc.].
6.5 Forensics Involvement. ☐ Internal only ☐ External vendor engaged: [Name] ☐ Outside counsel involved.
[Date/time] – [Event]
[Date/time] – [Event]
6.4 Indicators of Compromise (IOCs). [IPs, domains, hashes, user agents, etc.].
6.5 Forensics Involvement. ☐ Internal only ☐ External vendor engaged: [Name] ☐ Outside counsel involved.
7. Notifications and Communications
7.1 Internal Notifications. Notified: ☐ Security ☐ IT ☐ Legal ☐ Privacy ☐ Exec ☐ HR ☐ Other: [Teams].
7.2 External Notifications.
☐ Customers notified
☐ Regulators notified
☐ Law enforcement contacted
☐ Vendors notified
☐ Not required (document rationale)
Details: [Who/when/method].
7.3 Public Statement Needed. ☐ Yes ☐ No ☐ TBD.
7.4 Customer Support Plan. [Macros/FAQ/escalation steps].
8.1 Remediation Actions.
-
[Fix/control improvement] – Owner: [Name] – Due: [Date]
-
[Fix/control improvement] – Owner: [Name] – Due: [Date]
8.2 Monitoring Improvements. [New alerts/logging].
8.3 Policy/Process Updates. [Playbook changes, training updates].
8.4 Lessons Learned Meeting Date. [Date].
[Fix/control improvement] – Owner: [Name] – Due: [Date]
[Fix/control improvement] – Owner: [Name] – Due: [Date]
8.2 Monitoring Improvements. [New alerts/logging].
8.3 Policy/Process Updates. [Playbook changes, training updates].
8.4 Lessons Learned Meeting Date. [Date].
9. Attachments and Evidence
9.1 Evidence References.
☐ Log exports
☐ Screenshots
☐ Ticket links
☐ Forensics report
☐ Vendor notice
☐ Other: [List]
9.2 Storage Location. Evidence stored at: [Secure folder/link], access limited to: [Roles].
10. Approvals
10.1 Reviewed By (Security). [Name/Title] – Date: [Date].
10.2 Reviewed By (Legal/Privacy, If Applicable). [Name/Title] – Date: [Date].
10.3 Final Approval. [Name/Title] – Date: [Date].
Signatures
By signing below, the undersigned confirm that this Report reflects the incident details and response actions documented as of the signature date.
Prepared By: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Incident Commander: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Approved By (If Required): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________