Reporting to the IR team
The IR team is usually at the forefront of mitigating an incident. It, therefore, has access to all information about an incident. Thus, when an incident has been handled, the team should be given a detailed report for their records that covers various details, which are as follows.
Description of the incident
The IR team will be given a description of the events that led to the incident, the systems or users that were affected, and the time the incident took place. The description should be as succinct and specific as possible as the team members will already be conversant with the whole incident.
Cause of the incident
The report should also explain the cause of the incident. The root cause of the incident needs to be validated before its inclusion in the report. This is because the real cause of a security breach might at times not be easy to discern and using assumptions in the report could create a perilous precedent or possible confusion...