The post-incident report should include a review of existing polices, and various procedures also should be conducted to ensure they are sufficient, DeGrazia says: “For example, would a more aggressive patching cycle prevent an exploit from being executed?”
Post-incident reviews also should identify where there may be any single point of failure that hampered the investigation or remediation of the incident and add redundancy, according to DeGrazia.
“We commonly see that one person has access to X or the ability to do Y, but they are on vacation,” she says. Organizations also should identify, decommission and remove systems that are no longer needed. The report also should detail how the organization “plans to prevent attacks in the future by monitoring various threat feeds and sources,” DeGrazia says, and should “consider future meetings to stay on top of the changing landscape of threats and discuss progress on action items resulting from the after-action report.”
Ultimately, the report should “provide clear guidance on what happened, how it could have been prevented, and how to detect and respond to similar future attacks,” DeGrazia says.
DISCOVER: Learn how the U.S. justice department is fighting large-scale ransomware attacks.
How to Incorporate Lessons Learned from a Post-Incident Report
Following the creation of a post-incident report, there are several steps organizations can take to ensure the findings get put to good use, experts say.
Plaggemier says that following the creation of the report, it’s important to communicate to the organization’s board the key facts of the incident as well as “what you’ve done about it and steps you’ve taken to make sure a similar incident won’t happen again.”
