In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?
Trap 1: A generic statement that security is important
Useful reviews create concrete actions.
Trap 2: Deletion of all incident tickets
Tickets provide evidence and improvement history.
Trap 3: A blame list of individual analysts
Blame-focused reviews discourage reporting and do not fix process gaps.
- A
A generic statement that security is important
Why wrong: Useful reviews create concrete actions.
- B
Deletion of all incident tickets
Why wrong: Tickets provide evidence and improvement history.
- C
A blame list of individual analysts
Why wrong: Blame-focused reviews discourage reporting and do not fix process gaps.
- D
Specific playbook updates, escalation triggers, owners, and due dates
Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.