nerdexam
GIAC

GCIH · Question #508

In an attempt to contain an incident, the response team shut down a critical server without communicating with the Network Operations team. This led to upset management, poor customer service, and pro

The correct answer is D. Do we need to change any steps in our process?. The focus of follow-up or Lessons Learned meeting after incidents is to agree on a description of events, and to discover ways to improve processes and technology. Focusing on a single member of the team isn't a best practice during these meetings 鈥" the focus should be on proces

Incident Response & Cyber Kill Chain

Question

In an attempt to contain an incident, the response team shut down a critical server without communicating with the Network Operations team. This led to upset management, poor customer service, and profit loss. The incident has since been closed, and Sam is leading a follow-up meeting. Which of the following questions is most appropriate for the focus of this meeting?

Options

  • AShould these issues be included in the report?
  • BWhich member of the team turned off the server?
  • CWhat consequences did the organization suffer from the mistake?
  • DDo we need to change any steps in our process?

How the community answered

(36 responses)
  • A
    14% (5)
  • B
    3% (1)
  • C
    6% (2)
  • D
    78% (28)

Explanation

The focus of follow-up or Lessons Learned meeting after incidents is to agree on a description of events, and to discover ways to improve processes and technology. Focusing on a single member of the team isn't a best practice during these meetings 鈥" the focus should be on process improvement. All relevant events should be in reports.

Topics

#lessons learned#post-incident review#process improvement#incident communication

Community Discussion

No community discussion yet for this question.

Full GCIH Practice