Assessing the team and processes' effectiveness
Lessons learned
How soon did detection and identification happen?
How did the initial response to the incident being identified go?
What work was performed and by whom during each phase?
How effective was containment and eradication?
What areas should be improved?
Suggestions for improvement
How soon did detection happen?
How long after initial compromise? Days, months, years?
Was this sufficient?
How much of the detection responsibility is on IR?
How effective was the initial response?
Was your team able to follow the playbook effectively?
Was there time wasted waiting for access to information or systems?
Did the initial notification make it to the right people at the right time?
Was the initial notifiaction accurate with information?
What work was performed during each phase?
Who performed what work?
Was it sufficient for the incident?
Was information from previous phases properly passed on and ingested?
How effective was containment and eradication?
How long did it take?
How many times did your team have to "redo" containment?
After eradication monitoring, did signs of malware or compromise continue to show up?
How many times did you have to repeat this cycle?
Were eradication tools effective?
Did you have to bring in additional or new tools?
What areas should be improved?
Do you need better tools?
Was staff appropriately skilled?
Do we need more training?
Was communication appropriate and sufficient?
Suggestions for improvement
Keep improvement suggestions positive
Minimize pointing out specific individuals
Speak more to the overall function or role
Allow suggestions from the entire team
Consider blind suggestions box or portal
Last updated