10.6. Reporting the Incident

The last part of the incident response plan is reporting the incident. The security team should take notes as the response is happening to properly report the issue to organizations such as local and federal authorities, or multi-vendor software vulnerability portals, such as the Common Vulnerabilities and Exposures site (CVE) at http://cve.mitre.org. Depending on the type of legal counsel your enterprise employs, a post-mortem analysis may be required. Even if it is not a functional requirement to a compromise analysis, a post-mortem can prove invaluable in helping to learn how a cracker thinks and how your systems are structured so that future compromises can be prevented.