Perform a questionnaire-based post incident review

You can decide that a review of the security incident is warranted. It describes what happened, helps to determine why the incident occurred, and identifies how it can be avoided or handled in the future.

Before you begin

Role required: sn_si.admin, sn_si.manager, sn_si.analyst
Note: Any user can participate in a post incident review questionnaire, regardless of role. Roles can be assigned to a review.

About this task

A post incident review automates the collection of information from everyone involved with a given security incident. As each user completes the questionnaire, the post incident report is automatically generated. The report compiles all the information related to the security incident, as well as all responses to the post incident review.

Procedure

  1. Create a security incident, or open an existing one by navigating to Security Incident > Incidents > Assigned to Me (or Assigned to Team or Unassigned Incidents).
  2. Click the Post Incident Review tab, and fill in the fields, as appropriate.
    Field Description
    Request assessments The reviewer list defaults to the individual in the Assigned to field, but you can click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users, roles, or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
  3. Click Update.
    When the incident goes into the Review state (or immediately, if it is already in Review), each of the users in the review list receives an initial email notification. Reminders are sent as the due date nears. When each user accesses the questionnaire from the email link or by going to Post Incident Review > My Pending Reviews, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved.
  4. As users complete their questionnaires, the post incident report compiles the data and displays the report in the Post Incident Review tab. The questionnaire data is displayed in the Findings tab.