Process Improvement

In all cases, when the crisis is over, it is critical that the incident be reviewed so something can be learned from the experience. This analysis must focus on the process. How was the incident discovered ? How was it handled? How was it resolved? Were procedures followed? Were the procedures sufficient? What should be added/removed/changed? Who was notified? When? Were business objectives met? What were the major obstacles? How can the process be improved? If the incident happened today, what would you do differently?

As in all things, it is most important that you learn and improve. You should strive to learn how the incident happened and thereby how to prevent another similar incident from occurring. You must analyze your processes and decide what worked and what did not, where and how your procedures can be improved, where there were gaps in your policies and procedures, and whether all contingencies were covered in this case.

Most businesses will want a financial analysis covering how much this incident cost the company in physical losses, the cost to restore data, and the losses of revenue due to downtime. In some cases, this will be a complete business impact analysis.

Implement Changes

The last step to take in this process is to make the changes to your security policy. Be sure to inform members of your organization as to the changes that have been made and how that may affect them.