Postmortem Documentation

Possibly the most important step following a security incident (and certainly one of the least done) is the process of writing the security incident postmortem. Postmortem follow-up requires documentation of the incident as well as reports for specific audiences, such as management and emergency response teams . These reports will be used to adjust the level of security that is implemented.

This report is crucial for bringing all the issues together. It is a chance to review the incident calmly, after the crisis has subsided, bringing together the views and insights from all parties involved to create a single, consistent description of the incident for all those who have a need to know.

This report is needed if any follow-up actions are going to be taken against the perpetrator. If the actions are warranted, this report will serve as the foundation of the prosecution . If the actions are disciplinary, management will need this report to determine the severity of the punishment . The report has three parts : the time line, the technical summary, and the managerial summary.

• The time line provides a details summary of the events as they occured. It illustrates the relationship in time of the attack and the response to the attack.

• The technical summary is fundamental to improving processes and creating best practices. This summary can be shared with other technical groups within the organization to educate them and increase the awareness of security issues throughout the company.

• The managerial summary gives management the insight needed to understand the size and scope of the incident and its impact. This knowledge is crucial to the process of making sound business decisions about the need for security, especially as it relates to budgets and personnel.