Information for IT staff: The 12 most important measures in the event of cyber incidents

The Alliance for Cyber Security has published a 1-page leaflet with the 12 most important points for dealing with a cyber security incident. It is mainly aimed at IT managers in small and medium-sized enterprises, but is also helpful for IT coordinators in the organisational units of TU Braunschweig.

In case of cyber security incidents, please always inform the CISO of the TU Braunschweig and the Gauss IT Centre at or via the IT Service Desk at (0531-391-) 55555.

Download the leaflet:

Here is the content:

Dealing with a cyber attack is always individual and measures must be adapted to the circumstances of the IT infrastructure on site, the type of attack and the objectives of the organisation. The measures implied in the 12 points formulated as questions serve as impetus and assistance for individual coping. The document is aimed at IT managers and administrators, primarily in small and medium-sized enterprises.

1.Have initial assessments of the incident been carried out to determine whether it is a cyber-attack or merely a technical fault?

2Have you continuously coordinated, documented and communicated your measures to all relevant persons and responsible persons?

3Have system logs, log files, notes, photos of screen contents, data media and other digital information been forensically secured?

4Have you always focused on the business processes that are particularly time-critical and therefore have priority for protection?

5Have affected systems been disconnected from the network?
Have internet connections to the affected systems been disconnected?
Have all unauthorised accesses been prevented?

6Have backups been stopped and protected from possible further interference?

7Have measures been taken to determine the full extent of the spread?                                   Have all attacked systems been identified?

8Were the vulnerabilities in systems or (business) processes exploited during the cyber attack addressed and remedied through relevant measures?

9Have the police or relevant authorities (data protection, reporting requirements, etc.) been notified after consultation?

10Have the access authorisations and authentication methods for affected (business and possibly private) accounts been checked (e.g. new passwords, 2FA)?

11Will the network continue to be monitored after the incident to detect possible renewed anomalies?

12Have the affected data and systems been restored or rebuilt?