Overview
This guide is for the cybersecurity incident response team who has completed the investigation of an OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).
Post Incident Checklist
Post Incident Report
Post incident reports are used to identify root causes and opportunities to improve the overall security posture of OU, prevent recurrence, enhance detection, and improve future response actions. Incidents classified as Critical or High require a completed Post Incident Report. Post Incident Reports are considered confidential and must not be distributed outside the CSIRT, without approval from the Director for OU IT GRC. OU IT GRC has developed a Post Incident Report Playbook that defines a series of checklists for common incident types to ensure consistent data across security incidents.
- The Post Incident Report documentation must contain, at a minimum:
- Executive Summary of Incident
- Incident Metrics
- Supporting Checklists
- Lessons Learned
- IT Risk Assessment
- Associated ticket in the ITSM system of record.
- The CSIRT should determine if the post incident report should be done under attorney-client privileges.
- IT GRC starts the post incident report and assigns team members to complete relevant sections of the report. Post incident reports should be completed within two (2) weeks of incident recovery.
- The CSIRT provides input into the lessons learned (e.g., what worked well; what didn't work so well).
- IT GRC develops recommendations based on lessons learned and root cause.
Evidence Retention
Cybersecurity Incident Response activities will be documented to include artifacts obtained using methods consistent with chain of custody and confidentiality requirements. Artifacts obtained during Cybersecurity Incident Response may be deleted after the closure of the Cybersecurity Incident, unless otherwise directed by the Office of Legal Counsel, Chief Information Officer, or Director, IT Governance, Risk, and Compliance.