> For the complete documentation index, see [llms.txt](https://davidjosearaujo.gitbook.io/online-courses/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/follow-up-lessons-learned/assessing-the-team-and-processes-effectiveness.md). # Assessing the team and processes' effectiveness {% file src="/files/VTrhrZzewFRQbsPmOUaZ" %} ## Lessons learned * How soon did detection and identification happen? * How did the initial response to the incident being identified go? * What work was performed and by whom during each phase? * How effective was containment and eradication? * What areas should be improved? * Suggestions for improvement ## How soon did detection happen? * How long after initial compromise? Days, months, years? * Was this sufficient? * How much of the detection responsibility is on IR? ## How effective was the initial response? * Was your team able to follow the playbook effectively? * Was there time wasted waiting for access to information or systems? * Did the initial notification make it to the right people at the right time? * Was the initial notifiaction accurate with information? ## What work was performed during each phase? * Who performed what work? * Was it sufficient for the incident? * Was information from previous phases properly passed on and ingested? ## How effective was containment and eradication? * How long did it take? * How many times did your team have to "redo" containment? * After eradication monitoring, did signs of malware or compromise continue to show up? * How many times did you have to repeat this cycle? * Were eradication tools effective? * Did you have to bring in additional or new tools? ## What areas should be improved? * Do you need better tools? * Was staff appropriately skilled? * Do we need more training? * Was communication appropriate and sufficient? ## Suggestions for improvement * Keep improvement suggestions positive * Minimize pointing out specific individuals * Speak more to the overall function or role * Allow suggestions from the entire team * Consider blind suggestions box or portal --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/follow-up-lessons-learned/assessing-the-team-and-processes-effectiveness.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.