After an Incident

Summary

This guide is for the cybersecurity incident response team after incident recovery of an OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).

Body

Overview

This guide is for the cybersecurity incident response team who has completed the investigation of an OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).   

Post Incident Checklist

Post Incident Report

Post incident reports are used to identify root causes and opportunities to improve the overall security posture of OU, prevent recurrence, enhance detection, and improve future response actions. Incidents classified as Critical or High require a completed Post Incident Report.  Post Incident Reports are considered confidential and must not be distributed outside the CSIRT, without approval from the Director for OU IT GRC. OU IT GRC has developed a Post Incident Report Playbook that defines a series of checklists for common incident types to ensure consistent data across security incidents. 

  1. The Post Incident Report documentation must contain, at a minimum:
    1. Executive Summary of Incident
    2. Incident Metrics
    3. Supporting Checklists
    4. Lessons Learned
    5. IT Risk Assessment
    6. Associated ticket in the ITSM system of record. 
  2. The CSIRT should determine if the post incident report should be done under attorney-client privileges.
  3. IT GRC starts the post incident report and assigns team members to complete relevant sections of the report.  Post incident reports should be completed within two (2) weeks of incident recovery.
  4. The CSIRT provides input into the lessons learned (e.g., what worked well; what didn't work so well).
  5. IT GRC develops recommendations based on lessons learned and root cause.  

Evidence Retention

Cybersecurity Incident Response activities will be documented to include artifacts obtained using methods consistent with chain of custody and confidentiality requirements.  Artifacts obtained during Cybersecurity Incident Response may be deleted after the closure of the Cybersecurity Incident, unless otherwise directed by the Office of Legal Counsel, Chief Information Officer, or Director, IT Governance, Risk, and Compliance.

Details

Details

Article ID: 3261
Created
Thu 7/18/24 3:30 PM
Modified
Thu 7/18/24 4:08 PM

Related Articles

Related Articles (1)

This Cybersecurity Incident Response Plan establishes the procedures for identifying, reporting, and responding to a cybersecurity event. It establishes the basic language to discuss such events, identifies roles and responsibilities involved in responding to and recovering from these events, and provides a playbook for handling these events from the time an event is detected to the post incident report and event closing.