Cybersecurity incident lessons-learned activities are performed and corrective actions are taken, including updates to the incident response plan
Context and Guidance: Define and implement activities for collecting lessons-learned input from incident response participants after significant incidents, such as hotwash sessions or submission of comments on a team wiki. Participants could provide feedback about how well the incident response plan was followed, any shortcomings in needed resources, and, overall, which incident response actions worked well and which didn’t. Make updates to the incident response plan based on lessons learned where appropriate. Note that the term lessons learned is used in the common, general sense and not as related to definitions used in any specific regulation or guideline.
Related Practices • Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: RESPONSE-3a, RESPONSE-3d, RESPONSE-3f, RESPONSE-3g, RESPONSE-3h, RESPONSE-3i. • The practices in the second progression include: RESPONSE-3b, RESPONSE-3e, RESPONSE-3h, RESPONSE-3i, RESPONSE-3l.