- Detection of the problem
- Information gathering through monitoring tools
- Notification/Assembly of the response team
- Problem solving (response)
- Incident resolution
- After Action Reviews (AAR)
- *Quality Improvement (QI) and Quality Assurance (QA)
You may see a list in a different order, or perhaps with a different step here or there, but for the most part, this is how an IT incident evolves. Figure 1-1 depicts the Incident Lifecycle. QA and QI are part of the AAR process, and not called out as a separate item here.
You’ll notice we have used all capital letters to spell PROCESS. This is no mistake. We have developed an acronym that represents the 7 key attributes of any incident response program management.
Quality Assurance (QA): Taking an objective look at a behavior, decision or circumstance, evaluating it against the established standard, and ensuring the expected behavior is occurring.
Quality Improvement (QI): Finding opportunities, weakness or missing pieces of the response mechanism and taking steps to correct/improve the deficiency.
It’s all about getting better – not finding blame!
And while you may uncover some uncomfortable ‘landmines’ of poor or inconsistent performance or other aspect of the incident response PROCESS, it’s better to identify them, acknowledge them and do what it takes to improve the deficiency. Absent any thoughtful way of objectively evaluating the incident response PROCESS, poor performance may become the established norm and culturally, it will be more difficult to change down the road.
- PROCESS is an acronym you can use as a programmatic evaluation tool. Using each point as a point to guide a discussion about the various aspects of your incident response process can help provide insights into areas you may be able to improve.
- Any incident response process mechanism must be Predictable to ensure maximum efficiency
- You should be able to respond the same way, every minute of every business hour.
- Team members should be trained, equipped and ready to do the job the company is asking them to do.
- Everyone on the incident response team should know exactly: what is expected of them; what their role is; what latitude they have to make decisions on an incident; and know they have support from executive leadership to solve problems on behalf of the organization.
- Good incident response process can rapidly scale and de-escalate to match the needs of the incident.
- Solid incident response programs are built to be sustainable in terms of recruiting the best talent and keeping them.
- An organization should build and maintain a culture of response and view it as important as any other business unit.