Incident analysis (RS.AN)
In this control family, we will discuss the actions or steps you need to take during and after an incident has occurred. This will include recording all the steps taken during the incident, performing an after-action review, and preserving a chain of custody for the incident report being generated.
RS.AN-03
In this control, we are trying to determine the steps that led up to the incident. This will require that we create a timeline of the incident itself, from when the event was determined to be an incident, to the steps that the IR team took to contain and eradicate the incident from the environment. Creating this timeline will also help us determine the root cause of the incident.
In the development of the timeline, take the decisions that lead to making the event an incident into account. There was a decision that was made to enact...
