Either during security incident creation or when you are working with an existing
security incident, you may decide that a review of the security incident is needed to
describe what happened, to help determine why the incident occurred, and identify how it can
be avoided or handled in the future.
Before you can actually perform a post incident review, you must change the state of
the security incident to Review
, and the Close
and Close notes
fields under the
tab must be completed.
sn_si.admin, sn_si.manager, sn_si.agent
Note: Any user can participate in a post
incident review questionnaire, regardless of role.
A post incident review helps to automate the collection of information from everyone
involved with a given security incident. When the review is complete, the post
incident report is automatically generated to compile all of the information related
to the security incident, as well as all responses to the post incident review, into
an initial draft that you can edit and complete.
Create a security
incident, or open an existing one by navigating to , and selecting Created by me,
Open, All, and so forth.
Click the Post Incident Review tab, and fill in the
fields, as appropriate.
|Post incident review required
||Select this check box to indicate that a post
incident review is required for this security
|Post incident review assignees
||The reviewer list defaults to the individual in the
Assigned to field, but you
can click the lock icon to add other users to the review
list. After the field is unlocked, options are available
for adding or removing multiple users or entering user
email addresses. When you have completed your entries,
click the lock icon to lock the field.
|Post incident report
||Leave the text editor box empty for now. Any text you
enter prior to the report being generated will be lost
after the report is generated.
Each of the users in the review list receives an initial email
notification, as well as reminders as the due date nears. When each user opens
the questionnaire, the questions shown are drawn from all categories that fit
this security incident. If new users are added to the review list before the due
date is reached, they are sent notifications when the security incident is
When the last of the users in the review list have completed the questionnaire,
the Post incident report box is automatically populated
with the post incident report.
You can edit the report using the text editor.
Note: If, for any reason, you need to re-generate the report, you can do so by
clicking the Format Post Incident Report button. Be
aware, however, that any edits you manually made in the report will be
overwritten. All edits should be performed prior to closing the security
When you have completed your edits, change the state of the security incident
to Closed. This locks the security incident, including
the post incident review, preventing further changes.