This page is meant to collect some lessons learnt from past security incidents.

This input can be taken into account when setting up, reviewing or recovering an information system, but is not meant to be exhaustive, additional security measures to address the specific risks of every information systems are required.

The final step of Incident Response

Incident response model PICERL includes the following processes: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learnt. Lessons learnt is the final process, also called debriefing, where documentation should be wrapped up, all steps of the incident response discussed and reviewed, final report should be sent to all stakeholders and it is time to conduct a detailed post-incident review and identify areas of improvement. The goal is to make incident response process more effective and efficient. 

Lessons learnt phase should not be overlooked, as it may lead to repeating the same mistakes over and over again.

During the debriefing, you should get answers to the following questions:

  • What happened, how and why?
  • What was the scope?
  • How was the incident contained and eradicated?
  • How did we/the site deal with it?
  • What were the problems and what can be done to eliminate them?
  • What went well?
  • What was missing (contact list or procedure etc.) or went badly?
  • What needs to be changed?
  • How did the recovery process go, what was done?

Invite all stakeholders to a lessons learnt meeting and discuss these questions. The answers on how to improve the incident response process should be included in the documentation, policies and procedures right away.

Lessons from past incidents

WIP

To be completed.

References

  • No labels