MSP Security: How to Conduct a Post-Incident Review

| Author
TruMethods

Does your company have an Incident Response Plan in the event that your RMM and clients are breached? Has it been tested? 

If you think your job is done after an incident ends, I’ve got some bad news for you: There’s still plenty of work to be doneYour Incident Response plan should include a post-incident review process to ensure you and your team evaluate how everything was handled during the incident and address any irregularities for next time. 

Your post-incident review is just as important as the rest of your Incident Response plan. It should also be taken seriously. Even when there’s no immediate threat, you want to better prepare yourself for potential incidents down the road.

There are a few things to consider after an incident occurs.  

 

What did you learn? 

Strengthen and improve your plan by evaluating incidents after they occur for any missteps.  Things happen fairly quickly during a crisis (as you’re probably aware)Even with an effective Incident Response plan in place, you’re going to make mistakes from time to timeWhat's key is you learn from them.

Call a meeting and invite members of your Incident Response Team when reviewing an incident. The meeting should be designed to help improve your plan for the futureAll of the meeting participants should be willing to provide input and constructive feedback.  

Several questions during this meeting should be answered, including the following: 

  • What actions were performed by the staff and were procedures followed?  
  • What happened and when? 
  • Were the documented procedures accurate and sufficient?  
  • What actions hindered recovery? 

Additionally, review any and all documents developed during the incident, especially reports.  

 

Review documentation 

Delve into any documentation created during an incident when you’re pinpointing lessons learned. This includes all system events, all actions taken, and all external conversations. Review these documents to ensure completeness and identify any potential blunders made by you or members of your team.

Additionally, create an incident report for easy tracking and reference. Identify areas of potential improvement in this report. Also, include the following items: description of the exact sequence of events, method of discovery, preventative measures implemented post-incident and key takeaways. 

 

Tasks to follow after generating takeaways  

It’s always important for your Incident Response team to review key takeaways with stakeholdersHave your team discuss ways mitigate the risk of future incidents (e.g., implementing policies, procedures, training and other safeguards) with stakeholders when they meet with them. 

Also, any information you acquire about the incident, you should share with the appropriate authorities. Your security leadership team and legal team should be able to assist you with determining the appropriate organizations to contact.

After an incident is over, you’re not off the hook. Gather your team together to assess what went well, what didn’t and how you can improve your Incident Response plan for future incidents.

cybersecurity ebook

TOPICS: proactive network management malware cybersecurity risk management MSP security cybersecurity incident response plan

Subscribe To TruMethods Blog

Discover everything you need to know about becoming a top MSP.