Remediation
The remediation phase marks the return from reduced to full functionality. The quick fix in the mitigation can often leave the system with no functionality or partial functionality. The final fix in the remediation phase often coincides with the return to full functionality.
The remediation phase also includes those actions necessary to address damages resulting from the incident. This could be monetary fees/settlements paid to regulators/ affected entities or efforts made to assuage/compensate those entities.
Lessons Learned
The final phase of the process is for reviewing everything and seeing how the IR processes could be improved. This may sound a lot like the root-cause analysis we just discussed in the previous step. However, in this phase of the process, the organization should not review the incident itself, but the organization’s response to the incident, to determine whether there is some way to improve the IR capability/plan/procedures.
Go through each of the incident management steps and question and critique everything. Every improvement gleaned from this step will reduce the likelihood or impact of future incidents. Metrics should also be gathered where possible to compare to other incidents. Costs and response times for each task are examples of useful incident metrics.
The intent is to illustrate that all parts can and should be questioned and to provide ideas to get started. Most importantly, make sure all of these considerations are incorporated into updated IR procedures, training, and testing. In addition, the sensitive details of specific incidents could be sanitized, and lessons learned can be presented in user awareness training to show end users how to help avoid future incidents.