Chapter 6. Postmortem and Improvement

This chapter covers the following topics:

Collected Incident Data

Root-Cause Analysis and Lessons Learned

Building an Action Plan

After any security incident, you should hold a postmortem. At this postmortem, you should look at the full chronology of events that took place during the incident. This chapter includes common best practices when documenting a security incident postmortem.

The postmortem is one of the most critical steps in incident management. The development of the postmortem should be based on analysis of the gaps that enabled a security incident to occur and resulting recommendations for improvements. These recommendations will impact your policies, processes, standards, and guidelines. ...

Get End-to-End Network Security: Defense-in-Depth now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.