Post-Incident Review Report
Incident ID: [IR-YYYY-###] Incident Name: [Descriptive name] Review Date: [Date] Review Facilitator: [Name] Attendees: [List all participants]
1. Incident Summary
| Field | Detail |
|---|---|
| Detection Date/Time | [YYYY-MM-DD HH:MM TZ] |
| Declaration Date/Time | [When incident was formally declared] |
| Containment Date/Time | [When the threat was contained] |
| Eradication Date/Time | [When the threat was eliminated] |
| Recovery Date/Time | [When normal operations resumed] |
| Closure Date/Time | [When incident was formally closed] |
| Total Duration | [Hours/Days] |
| Severity Level | [SEV-1/2/3/4] |
| Incident Category | [Malware/Phishing/Unauthorized Access/etc.] |
What Happened
[Provide a factual narrative of the incident from initial detection through resolution. Include timeline of key events. Be specific about what systems were affected, what data was at risk, and what the attacker did or attempted to do.]
Root Cause
[Describe the root cause of the incident. What vulnerability or weakness was exploited? What allowed the incident to occur?]
Impact
| Impact Area | Description |
|---|---|
| Systems Affected | [List of systems] |
| Data at Risk/Compromised | [Types and volume of data] |
| Users Affected | [Number and type] |
| Business Operations Impact | [Downtime, degraded services] |
| Financial Impact | [Estimated costs -- response, recovery, legal, notification] |
| Regulatory Impact | [Notifications required, potential fines] |
| Reputational Impact | [Media coverage, customer notification, partner impact] |
2. Response Evaluation
What Went Well
- [List specific things that worked during the response]
- [Include effective decisions, tools that performed well, team actions that were timely]
What Could Be Improved
- [List specific areas where the response fell short]
- [Include delays, communication gaps, tool limitations, process failures]
Key Metrics
| Metric | Value | Target | Met? |
|---|---|---|---|
| Time to Detect | [Hours] | < 24 hours | Yes/No |
| Time to Respond | [Hours] | < 4 hours | Yes/No |
| Time to Contain | [Hours] | < 8 hours | Yes/No |
| Time to Recover | [Hours] | < 72 hours | Yes/No |
3. Lessons Learned
Detection
- Were our detection capabilities adequate?
- Could we have detected this incident sooner? How?
- Are there new detection rules or IOCs we should implement?
[Findings]:
Preparation
- Did the IR plan cover this scenario adequately?
- Were the right people on the team? Were roles clear?
- Did we have the tools and access we needed?
[Findings]:
Response
- Were containment actions timely and effective?
- Was the escalation process followed correctly?
- Were there any delays or bottlenecks?
[Findings]:
Communication
- Were stakeholders notified appropriately?
- Was the communication timely and accurate?
- Were there any miscommunications or gaps?
[Findings]:
Recovery
- Was the recovery process smooth?
- Were backups adequate and accessible?
- Did we verify systems were clean before returning to production?
[Findings]:
4. Action Items
| # | Action Item | Owner | Priority | Due Date | Status |
|---|---|---|---|---|---|
| 1 | [Specific improvement action] | [Name] | High/Med/Low | [Date] | Open |
| 2 | [Specific improvement action] | [Name] | High/Med/Low | [Date] | Open |
| 3 | [Specific improvement action] | [Name] | High/Med/Low | [Date] | Open |
| 4 | [Specific improvement action] | [Name] | High/Med/Low | [Date] | Open |
| 5 | [Specific improvement action] | [Name] | High/Med/Low | [Date] | Open |
5. IR Plan Updates Required
Based on this incident, the following updates to the Incident Response Plan are recommended:
- [ ] [Specific plan update 1]
- [ ] [Specific plan update 2]
- [ ] [Specific plan update 3]
6. Approval
| Name | Title | Signature | Date |
|---|---|---|---|
| [Review Facilitator] | [Title] | ___ | _ |
| [IR Manager] | [Title] | ___ | _ |
| [Executive Sponsor] | [Title] | ___ | _ |
Template provided by Petronella Technology Group. For incident response services, contact 919-348-4912.