Does your company have an Incident Response Plan in the event that your RMM and clients are breached? Has it been tested?
If you think your job is done after an incident ends, I’ve got some bad news for you: There’s still plenty of work to be done. Your Incident Response plan should include a post-incident review process to ensure you and your team evaluate how everything was handled during the incident and address any irregularities for next time.
Your post-incident review is just as important as the rest of your Incident Response plan. It should also be taken seriously. Even when there’s no immediate threat, you want to better prepare yourself for potential incidents down the road.
There are a few things to consider after an incident occurs.
What did you learn?
Strengthen and improve your plan by evaluating incidents after they occur for any missteps. Things happen fairly quickly during a crisis (as you’re probably aware). Even with an effective Incident Response plan in place, you’re going to make mistakes from time to time. What's key is you learn from them.
Call a meeting and invite members of your Incident Response Team when reviewing an incident. The meeting should be designed to help improve your plan for the future. All of the meeting participants should be willing to provide input and constructive feedback.
Several questions during this meeting should be answered, including the following:
- What actions were performed by the staff and were procedures followed?
- What happened and when?
- Were the documented procedures accurate and sufficient?
- What actions hindered recovery?
Additionally, review any and all documents developed during the incident, especially reports.
Review documentation
Delve into any documentation created during an incident when you’re pinpointing lessons learned. This includes all system events, all actions taken, and all external conversations. Review these documents to ensure completeness and identify any potential blunders made by you or members of your team.
Additionally, create an incident report for easy tracking and reference. Identify areas of potential improvement in this report. Also, include the following items: description of the exact sequence of events, method of discovery, preventative measures implemented post-incident and key takeaways.
Tasks to follow after generating takeaways
It’s always important for your Incident Response team to review key takeaways with stakeholders. Have your team discuss ways mitigate the risk of future incidents (e.g., implementing policies, procedures, training and other safeguards) with stakeholders when they meet with them.
Also, any information you acquire about the incident, you should share with the appropriate authorities. Your security leadership team and legal team should be able to assist you with determining the appropriate organizations to contact.
After an incident is over, you’re not off the hook. Gather your team together to assess what went well, what didn’t and how you can improve your Incident Response plan for future incidents.