It is easy for miscommunication to happen after a data breach. There could be many people working on the incident and those people may document differently and without guidance, critical facts could be lost due to inconsistent or ineffectual documentation procedures. This can make it difficult for incident response teams to understand the relevant facts of the matter. Here are some guidelines for documenting a breach.
It can be very helpful to start with a timeline. Discuss the incident with those who first noticed it and those who validated that there was an incident. Put the time of the reported incident and the validation on the sheet and then add the events that led up to the incident. Keep adding events to the timeline as you progress and this will help show the incident flow and help you determine the cause and effect of the incident. Review the timeline with the incident response team and receive feedback. The timeline can be used similarly to a murder board in a police investigation. Post the known facts and their times on the wall in the incident briefing room and then tack on new facts to it as you progress. You can do this digitally as well if the team is not all in one place.
Next, record the facts only. Don’t let personal opinions creep into the log. Documented assumptions can lead the incident response team in the wrong direction. They can also be detrimental if legal action is taken as part of the investigation as these documents could be part of the discovery process.
The National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide suggests that teams should have a person designated as the documenter while another person performs tasks so that the critical facts are not left out.
Lastly, don’t jump to conclusions. There could be many explanations given the available data so care must be taken to eliminate available options. Determine what data you will need to eliminate an option and then seek that out. Keep track of the possible scenarios and their underlying criteria and whether those criteria have been proved or disproved.