Cyber Threat and Computer Intrusion
Incident Reporting Guidelines

This form may be used as a guide or vehicle for reporting cyber threat and computer intrusion incident information
to the NIPC or other law enforcement organizations. It is recommended that these Cyber Incident Reporting
Guidelines be used when submitting a report to a local FIA.

 SECTION 1

Point of Contact (POC) Information

Name:
Title:
Telephone
Fax Number:
E-mail:
Organization:
Address: 
City:

 SECTION 2

Incident Information
Name of Organization:
(if same as above, enter "SAME")
(Check here if Federal Government Agency)
Organization's contact Information:

Telephone Number:
Address: (if same as above, enter "SAME")
City 
E-mail:
Physical location (s) of victim's computer system/network (Be Specific):

Date/Time and duration of incident:


Is the affected system/network critical to the organization's mission?

      Yes   No

Which critical infrastructure sector was affected? (Check only one)

      Power   Transportation
      Banking and Finance   Emergency Services
      Government Operations   Water Supply Systems
      Gas & Oil Storage and Delivery   Other (Provide details in remarks)
      Telecommunications   Not applicable

     Remarks:

Nature of problem? (Check only one)

      Intrusion   System impairment/denial resources
      Unauthorized root access   Web site defacement
      Compromise of system integrity   Hoax
      Theft   Damage
      Unknown    Other:

Has this problem been experienced before? (If yes, please explain in the remarks section):

      Yes   No

     Remarks:

Suspected method of intrusion/attack (check only one)

      Virus (provide name if known)   Vulnerability exploited (explain)
      Denial of Service   Trojan horse
      Distributed Denial of Service   Trapdoor
      Unknown   Other (Provide details in remarks)
     Remarks:

Suspected perpetrator(s) or possible motivation(s) of the attack (check only one)

      Insider/Disgruntled employee   Former employee
      Competitor   Other (Explain in remarks)
      Unknown  
     Remarks:

The apparent source (IP address) of the intrusion/attack:

Evidence of spoofing?

      Yes   No   Unknown

What computer system (hardware and/or software) was affected? (Operating system, version) (check only one):

      Unix   OS2
      Linux   VAX/VMS
      NT   Windows
      Sun OS/Solaris   Other (Provide specify in remarks)
     Remarks:

What security infrastructure was in place? (Check all that apply)

      Incident/Emergency Response Team   Encryption
      Firewall   Secure Remote Access/Authorization tools
      Intrusion Detection System   Banners
      Security Auditing Tools   Access Control Lists
      Packet filtering

Did the intrusion/attack result in a loss/compromise of sensitive, classified or proprietary information?

      Yes (Provide details in remarks)   No
      Unknown  
     Remarks:

Did the intrusion/attack result in damage to system(s) or data?

      Yes (Provide details in remarks)   No
     Remarks:

What actions and/or technical mitigation have been taken?

      System(s) disconnected from the network   System Binaries checked
      Backup of affected system(s)   Other (Please provide details in remarks)
      Log files examined   No action(s)
     Remarks:

Has the local FIA field office been informed?

      Yes (Which Office)   No

Has another agency/organization been informed? If so, please provide name and phone number.

      Yes    No

    If Yes then Please Specify

When was the last time your system was modified or updated?
Date:
Company/Organization that did the work (address, phone number, POC information):

Is the System Administrator a contractor?

      Yes (Provide POC Information)
    		   No

Additional Remarks: (Please limit to 500 characters. Amplifying information may be submitted separately.)

If the reported incident is determined to be a criminal matter you may be contacted by an agent in your location for additional information.