Perform a questionnaire-based post incident review

Either during security incident creation or when you are working with an existing security incident, you may decide that a review of the security incident is needed to describe what happened, to help determine why the incident occurred, and identify how it can be avoided or handled in the future.

Before you begin

Before you can actually perform a post incident review, you must change the state of the security incident to Review, and the Close code and Close notes fields under the Closure information tab must be completed.
Role required: sn_si.admin, sn_si.manager, sn_si.agent
Note: Any user can participate in a post incident review questionnaire, regardless of role.

About this task

A post incident review helps to automate the collection of information from everyone involved with a given security incident. When the review is complete, the post incident report is automatically generated to compile all of the information related to the security incident, as well as all responses to the post incident review, into an initial draft that you can edit and complete.

Procedure

  1. Create a security incident, or open an existing one by navigating to Security > Incident, and selecting Created by me, Open, All, and so forth.
  2. Click the Post Incident Review tab, and fill in the fields, as appropriate.
    Field Description
    Post incident review required Select this check box to indicate that a post incident review is required for this security incident.
    Post incident review assignees The reviewer list defaults to the individual in the Assigned to field, but you can click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Post incident report Leave the text editor box empty for now. Any text you enter prior to the report being generated will be lost after the report is generated.
  3. Click Update.
    Each of the users in the review list receives an initial email notification, as well as reminders as the due date nears. When each user opens the questionnaire, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved.
  4. When the last of the users in the review list have completed the questionnaire, the Post incident report box is automatically populated with the post incident report.
  5. You can edit the report using the text editor.
    Note: If, for any reason, you need to re-generate the report, you can do so by clicking the Format Post Incident Report button. Be aware, however, that any edits you manually made in the report will be overwritten. All edits should be performed prior to closing the security incident.
  6. When you have completed your edits, change the state of the security incident to Closed. This locks the security incident, including the post incident review, preventing further changes.