This activity describes the quality review which is conducted for past security incidents. This procedure ensures high quality standards across the security incident response lifecycle.
The quality review considers the completeness of procedure execution, the completeness of captured evidence, the coherency of drawn conclusions, the effectiveness and proportionality of deployed mitigation measures, the communication about the security incident, and the involvement of relevant stakeholders and partner teams. Further, insights from the quality review provide inputs for the continuous improvement process.
The procedure is typically performed by SOC staff with seniority over the security incident owner. If the SOC’s (or CSIRT’s) staffing is comprised of very experienced incident handlers, the quality review may instead be conducted as a peer review.