9. Explain the structure of an incident post mortem (AC 3.2)

I will be using a "LEARNING LESSONS FROM THE CYBER-ATTACK British Library cyber incident review" as my example for the structure. This document has 6 sections + an Executive Summary BL = British Library Executive Summary This executive summary is split into 14 paragraphs, each gives an overview of the main points in this document. It aims to summarise the nearly 20 page document in to 2 page summary. What does it say? The first one is a brief overview of the attack on the British library, next one include time and methods of the attack, crisis response and internal communication and the last paragraph is about lessons learned and recommendations Section One - Causality - Understanding the attack In this part it focuses on the context, where they outline when it happened and what happened. They provide a detailed timeline graph for the escalation process and key actions. It goes into details when exactly the attackers gained entry, and how the entry was gained. It continues with details about copying and compromising of BL data. Next on the agenda is explaining the attack methodology of the Ransomware group called Rhysida And lastly it goes over BL's ransom payment policy and that a publicly-funded institutions such as BL will never pay a ransom. This also serves as a deterrent for any future ransomware attacks Section Two - Impact This section focuses on the impact of the incident, it explains how it affected people as well as the systems. It details that users, staff and key stakeholders of BL were almost all affected by the cyber attack. They managed to keep the library open but the services on offer were severely restricted in the first two months. Few key software systems including the library management system couldn't be brought back in the same way they were before. Core email, finance, HR, security systems and payroll systems are cloud-based so remained mostly unaffected by the incident. It has a paragraph about calculating the cost, but doesn't actually mention any figures, only that an investment will be brought forward and that additional funding will be towards IT costs. Section Three - Crisis response and recovery This section is about how BL reacted and what the first few moves were. The BL activated its major crisis management plans and involved the Gold and Silver committees. These included senior technical staff, independent cyber-security advisors, and the Library's statutory Data Protection Officer and members of the senior management. The library also received support from the Department for Digital, Culture, Media and Sport(DCMS), including their specialist cyber team. It goes on to explain how other departments and or NCSC helped in keeping users, staff and stakeholders updated without sharing details that would aid the attackers. Rebuild & Renew Programme is now established. The report outlines all the different aspects of big project: funding, committees involved, areas of importance and most importantly how to build their systems that are more resilient to cyber attacks. Section Four - Technology infrastructure This section explains that BL's particular complex and old-fashioned infrastructure contributed to the severity of the impact of the attack. Next part in this section is the Post-Attack, where they explain how this "substantial disruption has created an opportunity to implement a significant number of changes to policy, processes, and technology that will address structural issues in way that would previously have been too disruptive to countenance" It goes on detailing all the new features of the renewed infrastructure including things like Multi-Factor Authentication and similar. Section Five - Future risk assessment This short section (only 1 page) is about BL's fears to put bluntly. They go over all the potential risks that may happen now after the attack has happen and the possible solutions they have implemented to stay safe. Section Six - Learning lessons from the attack Final section of the document has 16 points on what they call Sector-wide Lessons, as in their mind, this applies to similar institutions in the DCMS family and the wider sector. In my mind, all 16 points will undoubtedly lead to a very secure organisation, no matter of the size or sector. Some of the points are: Enhance network monitoring capabilities, Fully implement multi-factor authentication and Cyber-risk awareness and expertise at senior level. Post-mortems don't have no formal structure that organisation need to follow. What's important that every organisation will instead set their own parameters of what a post-mortem should like and stick to it. Consistency of Post-mortem is key.