Skip to content

Incident Response Checklist

Incident Response Checklist

Incident Header

Pole	Hodnota
Incident ID	INC-[YYYY]-[NNN]
Datum detekce	[PLACEHOLDER: DD.MM.YYYY HH:MM]
Severity	☐ Critical / ☐ High / ☐ Medium / ☐ Low
Type	☐ Data Breach / ☐ Security / ☐ AI / ☐ Availability
Status	☐ Open / ☐ Contained / ☐ Eradicated / ☐ Recovered / ☐ Closed
Incident Commander	[PLACEHOLDER]

Phase 1: Detection & Initial Response (T+0 to T+1h)

1.1 Detection

#	Akce	Status	Čas	Kdo
1.1.1	Incident detected	☐
1.1.2	Source of detection	☐		SIEM/User/External/Other
1.1.3	Initial severity assessment	☐
1.1.4	Incident ticket created	☐

1.2 Initial Notification

#	Akce	Status	Čas	Kdo
1.2.1	CISO notified	☐
1.2.2	DPO notified (if data breach)	☐
1.2.3	Incident Commander assigned	☐
1.2.4	IRT activated	☐
1.2.5	War room / Slack channel created	☐

1.3 Initial Assessment

Otázka	Odpověď
Co se stalo?	[PLACEHOLDER]
Kdy to začalo?	[PLACEHOLDER]
Které systémy jsou dotčeny?	[PLACEHOLDER]
Jsou dotčena data?	☐ Ano / ☐ Ne / ☐ Neznámo
Jsou dotčena osobní data?	☐ Ano / ☐ Ne / ☐ Neznámo
Je služba dostupná?	☐ Ano / ☐ Ne / ☐ Částečně

Phase 2: Containment (T+1h to T+4h)

2.1 Immediate Containment

#	Akce	Status	Čas	Kdo
2.1.1	Isolate affected systems	☐
2.1.2	Block malicious IPs/accounts	☐
2.1.3	Disable compromised accounts	☐
2.1.4	Enable enhanced monitoring	☐

2.2 Evidence Preservation

#	Akce	Status	Čas	Kdo
2.2.1	Capture system logs	☐
2.2.2	Memory dump (if applicable)	☐
2.2.3	Network traffic capture	☐
2.2.4	Screenshot/photo evidence	☐
2.2.5	Chain of custody documented	☐

2.3 Communication

#	Akce	Status	Čas	Kdo
2.3.1	Status update to management	☐
2.3.2	Internal communication (if needed)	☐
2.3.3	Customer communication drafted	☐

Phase 3: Investigation (T+4h to T+24h)

3.1 Root Cause Analysis

#	Akce	Status	Čas	Kdo
3.1.1	Log analysis	☐
3.1.2	Malware analysis (if applicable)	☐
3.1.3	Attack vector identified	☐
3.1.4	Scope determined	☐
3.1.5	Timeline reconstructed	☐

3.2 Impact Assessment

Oblast	Dopad	Detail
Systems affected		[PLACEHOLDER]
Data affected		[PLACEHOLDER]
Users affected		[PLACEHOLDER]
Business impact		[PLACEHOLDER]
Financial impact		[PLACEHOLDER]

3.3 Data Breach Assessment (if applicable)

Otázka	Odpověď
Jaká data byla dotčena?	[PLACEHOLDER]
Kolik záznamů?	[PLACEHOLDER]
Kolik subjektů?	[PLACEHOLDER]
Byla data šifrovaná?	☐ Ano / ☐ Ne
Byl klíč kompromitován?	☐ Ano / ☐ Ne / ☐ Neznámo
Bylo k datům přistoupeno?	☐ Ano / ☐ Ne / ☐ Neznámo
Byla data exfiltrována?	☐ Ano / ☐ Ne / ☐ Neznámo

Phase 4: Eradication (T+24h to T+72h)

4.1 Remediation Actions

#	Akce	Status	Čas	Kdo
4.1.1	Malware removed	☐
4.1.2	Vulnerability patched	☐
4.1.3	Compromised credentials rotated	☐
4.1.4	Security controls enhanced	☐
4.1.5	System hardening completed	☐

Phase 5: Recovery (T+72h+)

5.1 System Recovery

#	Akce	Status	Čas	Kdo
5.1.1	Systems restored from backup	☐
5.1.2	Systems validated	☐
5.1.3	Services restored	☐
5.1.4	Enhanced monitoring in place	☐
5.1.5	Return to normal operations	☐

Phase 6: Notification (within deadlines)

6.1 Regulatory Notification

Autorita	Required	Deadline	Status	Datum
ÚOOÚ (GDPR)	☐ Ano / ☐ Ne	72h	☐
NÚKIB (NIS2)	☐ Ano / ☐ Ne	24h initial	☐
Subjects (GDPR)	☐ Ano / ☐ Ne	ASAP	☐

6.2 Other Notification

Recipient	Status	Datum
Board	☐
Customers	☐
Partners	☐
Media	☐
Insurance	☐

Phase 7: Post-Incident (T+1 week+)

7.1 Documentation

#	Akce	Status	Datum	Kdo
7.1.1	Incident report finalized	☐
7.1.2	Timeline documented	☐
7.1.3	Root cause documented	☐
7.1.4	Evidence archived	☐

7.2 Post-Mortem

#	Akce	Status	Datum	Kdo
7.2.1	Post-mortem meeting scheduled	☐
7.2.2	Post-mortem completed	☐
7.2.3	Lessons learned documented	☐
7.2.4	Action items assigned	☐

7.3 Improvement Actions

#	Akce	Owner	Deadline	Status
1	[PLACEHOLDER]			☐
2	[PLACEHOLDER]			☐
3	[PLACEHOLDER]			☐

Timeline Summary

Čas	Událost
T+0	[PLACEHOLDER: Detection]
T+Xh	[PLACEHOLDER: Event]
T+Xh	[PLACEHOLDER: Event]
T+Xh	[PLACEHOLDER: Event]
T+Xd	[PLACEHOLDER: Resolution]

Sign-off

Role	Jméno	Podpis	Datum
Incident Commander
CISO
DPO (if data breach)
CEO (if critical)