13.7 Post-Mortem

Incident response planning is an iterative process. The final step in resolving any incident is the post-mortem analysis. Here, the incident response team must meet and review the cause of the incident, the resolution, and recommend any steps that must be taken to either improve response time in the future or prevent similar incidents from occurring again.

Some things to consider during the post-mortem phase are any additional requirements that the incident response staff may require, such as:

Additional training in response time
Additional training in troubleshooting or evidence collection techniques
Methods of improving team communications
Methods of providing additional resources to incident response team in a timely manner
Formally requesting changes to security policy as appropriate

The goal is not only to improve the response of the incident response team, but also to document the evidence as much as possible so that similar incidents can be more quickly resolved.

As a last step, the total monetary costs of the incident should be tallied. This includes any loss of data and the estimated value of that data, any hardware damage that may have occurred, and the total cost (in man-power hours) that response to the incident cost.

No matter how thorough your information security document may be, it is essential that proper attention be paid to the steps that will be taken when things go amiss — because they will. Incident response is typically written as a separate part of the overall information security policy because the process of incident response can change without altering the rest of the security policy. Due to its crucial role in the resolution of unforeseen circumstances, the incident response plan is just as important a step to overall information security as the security policy itself, an acceptable use policy, or a disaster recovery document.