π¨Incident Response Management
π§ Planning:
Assessed the organization’s incident response process as part of an overall cybersecurity and ITGC audit. Focus was placed on incident detection, classification, escalation, documentation, and closure timelines. Special attention was given to alignment with NIST IR and internal policies.
π― Objectives:
-
Confirm incident response procedures are formally defined and followed
-
Evaluate detection, classification, and escalation processes
-
Verify timely response and root cause analysis for security events
-
Assess documentation quality and post-incident review practices
π Procedures:
-
Reviewed incident response policy and documented playbooks
-
Sampled 10 incident tickets across different severity levels
-
Verified classification, impact analysis, and containment steps
-
Examined root cause reports and lessons learned documentation
-
Assessed timelines against internal SLAs
π Working Papers:
-
WP-ITGC-IR001: Incident handling and response process review
-
Incident ticket exports, RCA templates, escalation paths
π Findings:
-
β 3 incidents lacked documented root cause analysis
-
β One high-severity incident was not escalated according to procedure
-
β οΈ No post-incident reviews conducted for 2 medium-severity incidents
-
β οΈ Inconsistent timestamp entries in incident logs
π§° Tools Used:
SIEM (Sentinel), ticketing system (ServiceNow), incident management policy, Excel
β Recommendations:
-
Mandate RCA and closure reports for all moderate and high-severity incidents
-
Update escalation procedures and reinforce training for first responders
-
Standardize post-incident review process with assigned owners
-
Improve timestamp logging through automated tracking tools
