Incidents that negatively impact businesses and other organizations like cyber attacks, for example, can be caused as a result of multiple issues — therefore, an appropriate response should not only re-mediate them, but also create plans to ensure they never happen again. This is done through a process known as a post-incident-response — an evaluation of an established incident response plan that recommends how to best move forward, according to Disaster Response Journal.
Important to many industries, incident response plans in general are required of businesses or organizations that handle credit card transactions under specifications outlined in the Payment Card Industry Data Security Standard, for example, according to Security Metrics. These requirements include annual IRP testing, regular training and implementation of plan management processes.
Purpose of post-incident response
Overall, the creation of a PIR further demonstrates that an organization has taken the necessary steps to learn from an incident and ensure that a similar one does not reoccur in the future, according to Digital Guardian. Coincidentally, PIRs are often "one of the most neglected components" in planning for disaster recoveries, per Disaster Response Journal; however, VictorOps found in a study that 75% of "incident life cycle" is spent specifically on response.
To help facilitate continued incident response lifecycle improvement over time, organizations should establish post-incident review processes that specify the key metrics to obtain and exact steps to follow. Not only should the hardware and virtual aspects of a system be analyzed — the actions taken by the humans behind the machines are also key to a strong PIR. Data on processes, tooling and the people involved For example, a PIR may identify a pattern of employee habits that led to an incident in the first place.
Post-incident reviews that are simply focused on processes and tooling — and not the people involved — won't holistically improve the incident lifecycle over time....painting the full picture of what happens during an incident leads to deeper insights and helps teams optimize the human part of being on-call," a VictorOps article notes.
How to conduct a PIR
At a minimum, experts recommend a handful of important steps that an organization should take when carrying out a post-incident response process - from the creation of an incident report to organization-wide interdepartmental coordination to prevent an issue from reappearing. Other experts further recommend a number of metrics to consider and questions to ask in carrying out these steps in a PIR plan. Based on expert recommendations, here are three steps to follow in creating a PIR:
- Create an incident report:
While technically one of the final steps in the initial incident response, the creation of a detailed incident report can only improve the effectiveness of a PIR. In particular, this step in the process should record and present metrics garnered from incident analysis. At a minimum, an incident report should include a timeline with key details such as when the issue was first detected, when and if the incident escalated in severity and even which remediation tasks attempted respectively had positive, negative or non-observable impacts on the situation, according to VictorOps. Other important details to note in the timeline include the names of the first people to acknowledge the issue following the discovery of an incident, as well as the nature of any information exchanged in conversations between them at the time.
- Monitor the situation post incident and respond accordingly:
After an incident report has been created, an organization can use the information recorded to help figure out which aspects of an affected system or network should be monitored to help create a long-term plan. At this point, those completing the PIR should have answered initial questions related to incident detection, response and resolution, among others, such as "how can we know more quickly?" and "how do we recover more quickly?" As a whole, the plan should also detail what was learned from an incident in terms of the people, processes and technology involved. Other information that might be gathered includes community and stakeholder reactions to the incident along with responses from the organization's higher ups and counterparts in the industry.
- Coordinate, update and implement the mitigation plan:
Based on the metrics and information gathered from the initial incident response and subsequent post-incident monitoring activities and fixes, organizations can create a well-rounded long term plan to prevent similar incidents from occurring. According to Digital Guardian, this includes the creation of what are known as enhanced security initiatives; for example, system management should employ cybersecurity controls to stay in compliance with their incident mitigation plan, such as continued monitoring, administrator privileges, intruder detection alerts, and data and malware protection.
Help your organization stay compliant with the latest regulations and requirements by visiting ProcessMAP's website and viewing its selection of mobile application solutions.