Post-incident review
The purpose of this stage is to evaluate the effectiveness of the incident response and management, identify lessons learned, and implement improvements that reduce the likelihood and impact of future incidents.
To ensure good practice you should:
- be open and honest in the review, focusing on learning and not blame
- involve a wide enough group to gain varied perspectives and not just a cyber security view, such as SLT, service providers or representatives from staff and legal guardians
- use a consistent structure or template for all incident reviews
- track completion of follow-up actions in a central place such as using a risk register or improvement log
- consider running simulations or training to address identified gaps
Objectives
The main objectives are to:
- understand what happened and why
- evaluate what worked well and what did not
- improve incident response and management processes
- update documentation, plans, and training as needed, including the cyber risk assessment
- demonstrate accountability and continuous improvement
Roles and responsibilities
Roles and responsibilities involve the:
- SLT digital lead leading the review process and ensuring strategic and procedural issues are addressed
- incident response lead or technical team providing insight into root cause and the technical effectiveness of the response
- DPO and SLT contributing to policy and communication-related improvements
Generic post-incident review actions
Schedule post-incident review meeting
This should include other SLT, the headteacher or principal, and governors or trustees.
Aim to hold the meeting within 5 to 10 working days of incident closure (normally in the completion of the recovery phase).
Collate incident logs and evidence
Your cyber recovery team, IT support, and SLT digital lead should collate logs and evidence, including timelines, response steps and communication logs.
Facilitate lessons learned session
SLT digital lead and the incident response lead should facilitate a lessons-learned session. Include all relevant internal stakeholders such as IT, SLT and DPO.
Document root cause and contributing factors
The incident response lead and IT team should use available technical and procedural evidence to document the causes and contributing factors to the incident.
Assess timeline of detection, escalation, containment, and recovery
The SLT digital lead and cyber recovery team should assess the timeline and identify any delays or inefficiencies.
Review communications
The SLT digital lead, DPO, SLT, and headteacher or principle evaluate the effectiveness of internal and external messages.
Identify any policy or procedure gaps
The SLT digital lead, SLT and cyber recovery team identify gaps in policy or procedure. For staff, technical teams, or leadership, these typically relate to cyber security training or awareness that includes planning, but may affect broader areas such as IT training.
Write up formal incident review report
The SLT digital lead, incident response lead and DPO write up the report. This should be tailored to the SLT or the requesting party and must include:
- timeline
- impacts
- lessons learned
- recommendations
The content should appropriate to the school and the nature and severity of the incident.
Present report to leadership or governing body
If the incident was high impact or externally reportable, the headteacher and SLT digital lead should present the report to leadership or the governing body.
Implement agreed follow-up actions
SLT digital lead, cyber recovery team, and other stakeholders set deadlines and assign responsibility to implement the agreed follow-up actions.
Update the Cyber Security Incident Response and playbooks
If required, the SLT digital lead and incident response lead should update the cyber security incident response and playbooks to make sure future incidents benefit from the review.
Review report components
As a minimum, the SLT digital lead will collate a report for the SLT. However, if the nature or severity of the incident warrants it, there may be additional requirements and statutory responsibilities to report the incident to other parties. These could include:
- IT support
- DfE
- NCSC
- ICO
- local authority
The post-incident review report should contain:
- incident summary and timeline
- impact assessment such as data, services, and people
- root cause and contributing factors
- actions taken during incident response stages
- effectiveness of communications and decision-making
- lessons learned
- recommendations for changes such as processes, policies, training and technical controls
- assigned follow-up actions with owners and deadlines
Record keeping
- completed post-incident review report
- updated incident response and incident management policies and procedures
- action tracker or improvement log
- evidence of appropriate briefings such as events informing staff, legal guardians and learners about the incident or the cyber recovery team briefing SLT on response effectiveness
- evidence of communications, training or other actions delivered post-incident
Recording these demonstrates your school took appropriate action. This could be needed for compliance with cyber security standards, as well as evidence in legal or regulatory proceedings.