Page 1195 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1195
Lessons Learned
During the lessons learned stage, personnel examine the incident and
the response to see if there are any lessons to be learned. The incident
response team will be involved in this stage, but other employees who
are knowledgeable about the incident will also participate.
While examining the response to the incident, personnel look for any
areas where they can improve their response. For example, if it took a
long time for the response team to contain the incident, the
examination tries to determine why. It might be that personnel don’t
have adequate training and didn’t have the knowledge and expertise to
respond effectively. They may not have recognized the incident when
they received the first notification, allowing an attack to continue
longer than necessary. First responders may not have recognized the
need to protect evidence and inadvertently corrupted it during the
response.
Remember, the output of this stage can be fed back to the detection
stage of incident management. For example, administrators may
realize that attacks are getting through undetected and increase their
detection capabilities and recommend changes to their intrusion
detection systems.
It is common for the incident response team to create a report when
they complete a lessons learned review. Based on the findings, the
team may recommend changes to procedures, the addition of security
controls, or even changes to policies. Management will decide what
recommendations to implement and is responsible for the remaining
risk for any recommendations they reject.
Delegating Incident Response to Users
In one organization, the responsibility to respond to computer
infections was extended to users. Close to each computer was a
checklist that identified common symptoms of malware infection.
If users suspected their computers were infected, the checklist
