Which of the following is the FIRST step when conducting a post-incident review?
Which of the following is the FIRST step when conducting a post-incident review?
The first step in conducting a post-incident review is to perform root cause analysis. This involves thoroughly examining the incident to determine the underlying reasons it occurred. Understanding the root cause is essential for identifying potential gaps in your systems and processes, preventing future incidents, and improving overall security measures. Assessing the costs, identifying mitigating controls, and assigning responsibility for corrective actions would logically follow after understanding what caused the incident in the first place.
i vote....C. Perform root cause analysis.
Isn't root cause essential in eradication phase?
The root cause may be not defined at redaction phases , as incident of ransomware. check Quiz 949
I thought so too however after some research, it appears there is also a strategic place for RCA in the PIR phase. Heres why: During Eradication, the focus is on eliminating the threat from the affected systems and preventing its immediate spread. RCA at this stage is aimed at understanding how the threat entered and escalated within the system, to ensure complete removal. The urgency is on addressing the incident and securing the environment. During PIR, the emphasis shifts to a broader analysis and reflection. Here, RCA is revisited or expanded upon with the benefit of hindsight, more data, and a less pressured environment compared to the active incident response. This review aims to refine the incident response process, improve security postures, and ensure better preparedness for future incidents. The distinction here is not so much about when RCA is performed, as it is critical at multiple stages, but rather about the depth and breadth of analysis.
Well this is weird. According to CISM Exam Prep Guide (2nd ed.), page 453, both B and C are correct and B is considered first but it's not explicitly said.
CISM AIO on page 501 is more concrete: "- Post-incident Review - Shortly after the incident closes, incident responders and other personnel meet to discuss the incident: its cause, impact, and the organization’s response. Discussion can range from lessons learned to possible improvements in technologies and processes to improve defense and response further."