Following restoration of services, the IRT will determine the root cause of the incident and take appropriate steps to minimize the likelihood of the incident happening again.
- Determine how the event happened (in the case of a security incident, determine the source of the intrusion, e.g., email, inadequate training, attack through a firewall port, attack through an unneeded service, attack due to unpatched systems or applications)
- Assess the damage to the Organization and estimate both the damage cost (direct and indirect) and the cost of the containment efforts
- Identify, if appropriate, additional user training that might have prevented the incident
- Identify whether changes in policies or procedures might have prevented the incident
- Identify whether the availability of additional equipment or technologies might have prevented the incident
- Review the response to the incident? How could it be improved?
- Was the initial response timely?
- Was containment and restoration timely?
- Was the right documentation identified and collected?
- If law enforcement was involved, did it help or hinder the response? How could our relationship with law enforcement be improved?
- Were appropriate parties informed in a timely manner?
- Were the incident response procedures detailed and adequate to the situation? How could they be improved?
- What lessons have been learned from this experience and how do we get them into the “corporate DNA?”
Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.