If you've already restored the system, what damage
is there to control? Well, the aftermath, primarily. You need to
follow through on any untoward consequences of the break-in. For
instance, was proprietary information copied? If so, you need to
notify your legal counsel and consider what to do.
You should determine which of the following concerns need
to be addressed:
Do you need to file a formal report
with law enforcement?
Do you need to file a formal report with a regulatory
Do you need to file an insurance claim for downtime,
use of hot spares, etc?
Do you need to institute disciplinary or dismissal
actions against one or more employees?
Do you need to file a report/request with
Do you need to update your disaster recovery plan
to account for changes or experiences in this instance?
Do you need to investigate and fix the software
or configuration of any other systems under your control, or at
any affiliated sites? That is, has this incident exposed a vulnerability
elsewhere in your organization?
Do you need to update employee training to forestall
any future incidents of this type?
Do you need to have your public relations office
issue a formal report (inside or outside) about this incident?
The answers to the above questions will vary from situation
to situation and incident to incident. We'll cover a few
of them in more detail in succeeding chapters.