Incident investigation results are aggregated in a report. All reports have the following structure:
The purpose and the reason for creating the report.
The VCI investigation.
The VCI description.
Causes or probable causes of the VCI.
Methods and tools used by the hackers involved in the VCI.
Description of the investigated items (data storage media and documents acquired from the customer). An assessment of their value to the investigation.
A description of the steps taken: the investigation objective and activity start and end time. Investigation progress and time frame. Methods, software, and hardware (optional) used in the investigation and investigation’s steps.
Individuals identified by the investigation as participants in the incident. The extent of their responsibility for the VCI. Information about attempts (if any) to thwart the Doctor Web task group’s investigation.
Evidence, collected during the investigation, proving the VCI did take place, and a description of how it was acquired.
Conclusion
VCI consequences for the customer: impact on the business, image and relations with customers and investors (shareholders), the moral impact on employees. Tips on how to minimize the negative effects.
The roles of the customer's employees involved in the VCI investigation.
A description of weak points in the customer's security policy. Steps that can be taken to minimise the impact of or resolve possible security problems.
Recommendations on how to prevent future incidents like this one.
Applications
Report authors, their job titles at Doctor Web or roles (responsibilities) in the VCI investigation task force.
A list of items (documents and media) received from the customer and used in the investigation.
A questionnaire.
A report may lack certain sections if the customer did not specify that they be present in the contract.