Conducting a Security Incident Post Mortem

Conducting a Security Incident Post Mortem

Because of the iterative nature of security, you need to ensure that your response team and organization learn from any incident that occurs, and you must incorporate those lessons into future protective measures and their supporting processes. Following each security issue, you should hold a debriefing session. In that session, all the participants and key stakeholders should discuss the specifics of the incident, including the following:

  • What went right

  • What could have gone more smoothly

  • Measures that could have prevented the incident

  • What the organization needs to do to ensure that this type of incident is not repeated

  • How much the security incident has cost the organization

During the post mortem review, you should determine changes that will need to be made to your organization s security policies and procedures, and you might need to implement new security measures to prevent such an incident from recurring or similar incidents from happening. You should assign a single person responsibility for recording this information and ensuring its follow-up. If these changes will impact business continuity, you should conduct a risk analysis to determine the appropriate solution.

The results of the debriefing should be fully documented and distributed on a need-to-know basis. Often, it makes sense to have two versions of the write-up one that is couched in business terms and is appropriate for business managers, and another that delves into technical detail and is appropriate for the IT teams that will be implementing changes to the environment.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net