Lessons Learned in Incident Handling
What happened and how can we improve our capabilities. Immediately after the system is back online in production start developing a follow-up report.
While drafting this report, the lead on-site incident handler should be the only one to write and supervises what is to be in the report. Everyone part of the incident should review the draft and sign off agreeing to its contents. If one should strongly disagree they can submit their version of the events, and it will remain part of the incident record. Make sure to include all incident forms completed during the incident. Within two weeks of resuming production have a meeting to discuss what happened and what the team learned from the incident. This meeting is also the time to review what the team could have done differently or improved for next time. Take time to finalize the report and provide an executive summary.
I hope this series in incident handling as helped you understand the correct process in handling incidents and encourages you to read other posts on real conflicts and how the method of controlling that incident provided an excellent service to both the business and its customers.
If this has been helpful to you, please support this blog by buying a coffee
Cheers! Happy threat hunting!