Chapter 9. Conducting a Post-Incident Review

Now that we’ve established the “what” and “why” of a post-incident review, we can begin to take a closer look at the “how.”

There are various approaches to conducting a successful analysis. Some follow strict formats, while others tend to be much more informal. This book attempts to provide some structure or guidance for conducting your next analysis. If you are worried about it being too restrictive or not providing what management is asking for, don’t panic. If management needs additional information, it is reasonable to adjust the suggested guidelines provided in Chapter 10 to meet your needs.

My advice when asked to stray too much from the guide is to keep in mind the basic principles of Chapter 5, where we discussed that the point of this exercise is to learn so that we may improve our methods of knowing about a problem sooner (detection) as well as how we can recover (response and remediation) sooner. Cause, severity, impact, and additional topics of interest may be included in your own analysis, but don’t let them distract you from a learning opportunity.

A well executed post-incident review has a clearly stated purpose and repeatable framework. Let’s take a moment to address some of the key components.