Perform a questionnaire-based post incident review You can decide that a review of the security incident is warranted. It describes what happened, helps to determine why the incident occurred, and identifies how it can be avoided or handled in the future. Before you begin Role required: sn_si.admin, sn_si.manager, sn_si.analystNote: Any user can participate in a post incident review questionnaire, regardless of role. Roles can be assigned to a review. About this task A post incident review automates the collection of information from everyone involved with a given security incident. As each user completes the questionnaire, the post incident report is automatically generated. The report compiles all the information related to the security incident, as well as all responses to the post incident review. Procedure Create a security incident, or open an existing one by navigating to Security Incident > Incidents > Assigned to Me (or Assigned to Team or Unassigned Incidents). Click the Post Incident Review tab, and fill in the fields, as appropriate. Field Description Request assessments The reviewer list defaults to the individual in the Assigned to field, but you can click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users, roles, or entering user email addresses. When you have completed your entries, click the lock icon to lock the field. Click Update. When the incident goes into the Review state (or immediately, if it is already in Review), each of the users in the review list receives an initial email notification. Reminders are sent as the due date nears. When each user accesses the questionnaire from the email link or by going to Post Incident Review > My Pending Reviews, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved. As users complete their questionnaires, the post incident report compiles the data and displays the report in the Post Incident Review tab. The questionnaire data is displayed in the Findings tab. Create post incident review questionnaire categories You can use the questionnaire categories that come with the base system or create your own categories. Before you beginRole required: sn.si_admin About this task To create a new category of questions: Procedure Navigate to Security Incident > Post Incident Review. Click Review Questions. A list of categories is displayed, along with their order and filters that define under what conditions the questions are asked (for example, only when the security incident category is Criminal activity). Each category is a section in the post incident review questionnaire and the questions in each category are included only when the security incident matches the Condition filter. For example, for a category of questions applying only to Linux servers, you would set up a filter that selected security incidents where the affected resource type was Linux Server. In that category, you would then create all questions needed when a security incident was on a Linux Server. You use one of the categories supplied in the base system or create a new category. This procedure assumes that you want to create a new category before defining questions. Click New in the list of categories. Fill in the fields on the form, as appropriate. Table 1. Security incident Field Description Name Name for the category that appears on the security incident questionnaire. Type Post Incident Review is the default. Create Stakeholders Unused by Security Incident Response. Table This field is autoassigned once the form is submitted. Filter Enter the condition that determines when questions in this category are used. If a security incident record matches this filter, the questions is included in a post incident review for that security incident. Filters can use any data on the record, or on other records linked to this record. For example, the department of the requesting user’s manager. Application Scope application for the incident. Weight Numeric value that represents the importance of this metric relative to other metrics in the same category. By default, the weight is 10. Total Metrics Number of metrics used by the category. Description Description of the questionnaire. Click Submit to save the category. Assign post incident review roles You can target questions to specific pre-defined groups by assigning roles to Post Incident Review (PIR) categories. Before you beginRole required: admin Procedure Navigate to Assessments > Metric Definition > Types. Under the Types column, search for a Post Incident Review record. Open the record. Assign one or more roles for this category of questions. Click Update. Navigate to User Administration > Users. Choose a user Add one or more metric type roles to the user record. Note: The roles must correspond to roles assigned in the Post Incident Review category. Compose post incident review questions You can use the questions that come with the base system or create your own questions. Before you beginRole required: sn.si_admin About this task The methods for gathering post incident review information can be in the form of questions or as data automatically collected using scripts. Questions can depend on the answers to other questions. For example, you might ask if all necessary logs were available. If the answer is No, you ask a follow-up question to ascertain which of the needed logs were not enabled. Scripted data collection, also called script metrics, gather data related to the security incident via scripts you write. This action can go well beyond the data in the security incident record itself. For example, a script metric could gather the recent outage time for a server affected by this security incident. Finally, you can mix the two types. Questions can have default values taken from a script, or simply from a field in the security incident record. When you use a Default Answer from … type of question, you can choose if you want the user to always answer the question – with the default value providing them an initial value – or if you want the user to only be asked the question if the script or field comes up empty. To create a new question: Procedure Navigate to Security Incident > Post Incident Review. Click the category for which you want to create a new question. Click the Assessment Metrics tab. Click New. You can also click an existing question to modify it. Fill in the fields on the form, as appropriate. Table 2. Metric form Field Description Name Name of the metric (question or script). If the metric is a scripted data collection, this name appears on the post incident report. Category The category that the metric belongs to. The system automatically populates this category if you create a new metric from the Metric Category form. Note: You cannot change the category if the Depends on field is set or if another metric depends on this metric Method Indicates the type of metric, as follows: Assessment: A question that has no default value. There are several data types that can be defined in the Data Type field on the Field Type tab, such as check boxes, choice lists, text input. Script: Scripted metric. Obtain values by writing a custom script. The Script method is compatible with the Duration, Number, and Percentage data types. Default answer from field: A question where the default response comes from a selected field in the security incident. Selecting this option adds two fields to the General tab: Default answer: Select the field in the security incident that contains the default answer for the question. For example, for the question: "Who initially reported this incident?," the Requested by field would be a likely choice. Ask question: Specifies when to ask the question: always or only if the Default answer field is empty. Using the example above, the question would be asked if the Requested by field is empty. Default answer from script: A question where the default answer comes from a script. The answer may be a number, string, or percentage. The General tab adds a field: Ask question: as the Specifies when to ask the question: always or only if the script does not provide a default answer. The script is defined on the Field Type tab. Note: If you select a Data type that is incompatible with the selected Method, the system automatically changes the Method to a compatible value. Weight [Required] Numeric value that represents the importance of this metric relative to other metrics in the same category. By default, the weight is 10. This field is visible and required unless the Data type is Date, Date/Time, or String. These data types are not included in results calculations. Order [Required] Numeric value that determines the order of the metric question on assessment questionnaires, relative to other metric questions in the same category. The metric with the smallest order value appears as the first question in the category section. By default, the order is 100. Note: It does not matter which order value you use for metrics with the Script method, as they do not appear on questionnaires. Active Check box that determines whether this metric is used. If the check box is not selected, it is as if the metric record does not exist. Mandatory Check box that makes the metric question mandatory (selected) or optional (cleared) on assessment questionnaires. Users cannot submit questionnaires until they provide valid responses to all mandatory questions, which are denoted by a red field status indicator. This field is visible only if the Depends on field is empty, and the data type is not Checkbox. Click the General tab and fill in the fields, as appropriate. Table 3. General tab Field Description Question Text to use as the question on security incident review questionnaires. Enter a clear, straightforward question that is easy to answer, such as How did we contain the incident Description Information about the metric and what it evaluates. If the Method is Assessment, include details that help users understand how to answer the question. This text appears as a hint when a user points to the question text on the questionnaire. Depends on and Displayed when Select a question in the Depends on field that the current question depends on. For example, the question, "What additional logs were needed?" depends on the question "Were all needed logs available?" Next, use the Displayed when field to identify when you want the dependent question to appear in questionnaires. For example, if you want the dependent question to be asked only when the user answers No to the "Were all needed logs available?" question, select No in the Displayed when field. Note: The system prevents the creation of recursive dependencies between metrics. For example, if Metric A depends on Metric B, Metric B cannot depend on Metric A. Click the Field Type tab and fill in the fields, as appropriate. Table 4. Field Type tab Field Description Data type The data type of the expected response the list of types available depends on for the selected method. If the method is Assessment, the data type determines how users answer the corresponding question on questionnaires. If the method is Script, the data type determines how the system calculates assessment results.Note: If another metric depends on this metric, you cannot change the data type . Randomize answers Check box that determines whether to present the answer options for this metric question in a random order each time a user opens an assessment questionnaire that contains the question. Answer preference can be influenced by the order in which answer options appear. This can result in biased results. Randomizing answer options can help prevent this bias. This field is visible only if you select Likert scale or Choice in the Data type field. Dependent plugin [Required if the Method is Script.]Plugin that contains the tables queried in the script. The system executes the metric script only if the plugin is active. The default available values are Asset Management, CMDB, Core, Cost Management, Procurement, and Software Asset Management. This field is visible only if the Method is Script.Note: If the Core default value is used, the script is always run.Note: If you are an administrator, you can add more choices of plugins to the field. Scale definition Setting that determines whether lesser or greater numerical values equate to a good score in assessment result calculations. Select Low if lesser numerical values are better, such as for a metric that measures the number of defects for a vendor. Select High if greater numerical values are better, such as for a metric that measures user satisfaction on a scale of one to five. The default value is High. This field is visible and required unless the Data type is Date, Date/Time, or String. The results for these data types are not included in results calculations. Min Lowest numerical value to be used as an answer option on assessments or as a scaled value in a scripted metric. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is read-only and is set automatically based on the smallest metric definition Value. Max Highest numerical value to be used as an answer option or scaled value. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is read-only and is set automatically based on the largest metric definition Value. Script Script that obtains the desired system information. The script has one input variable, set with the ID of the security incident (primary), and three possible output variables set by the script, string_result, scaled_result, and actual_result. When the data type is String, only the string_result is required. For more information about using this field, see Script Method. This field is visible and required when the Method is Script, or the default value comes from a script. Template A predefined set of common answers to use for the question. For example, a frequency template would likely start with a value of "Never," and go up to the top value of "Always." This field is visible and required only if the Data type is Template.Note: If another metric depends on this metric, you cannot change the template . (Optional) When you have completed your entries, click Update. Create post incident review assignment rules In addition to manually adding users post incident review assessment list for a security incident, you can define assignment rules for automatically adding users to the list. Before you beginRole required: n_si.admin, sn_si.manager, sn_si.analyst Procedure Navigate to Security Incident > Administration > Post Incident Review Assignment. Click New. Fill in the fields, as needed. Field Description Name The name of this assignment rule. Active Select this check box to make the rule active. Order Enter a numerical value to specify where in the list of assignment rules this rule should appear. Lower numbers appear at the top of the list.Note: Only the first matching assignment rule is executed, and only the users defined in that rule are added to the assessment list. Condition Use the condition builder to define the conditions that must be met in the security incident for this rule to be executed. For more information, see the example below. Assign to users Click the lock icon to add users to the review list. After the field is unlocked, options are available for adding or removing multiple users, roles, or entering user email addresses. Click Submit. Malicious code activityIn the post incident review assignment rule shown here, when a security incident with the Category field set to Malicious code activity transitions to the Review state, the three users identified (who happen to be experts in dealing with malicious code activity) are added to the list of users who will receive the post incident review questionnaire for this security incident.