Skip to content
Log in

Post-incident activity

Definition

The NIST SP 800-61 label for the final phase of the incident response lifecycle. It encompasses evidence retention, lessons-learned meetings, and the translation of findings into documented improvements to the IR plan, policies, and controls.

Related terms

Action item
A specific, time-bound improvement task generated by a post-incident finding. An action item has a named owner, a target completion date, a...
Blameless post-mortem
A cultural approach to post-incident review, popularised in site reliability engineering, in which the analysis focuses on systemic and process failures rather...
Lessons-learned register
A persistent record, maintained by the security programme, that links each post-incident action item to the originating incident, tracks its status, and...
Root-cause analysis (RCA)
A structured method for identifying the underlying systemic cause of a failure rather than its immediate trigger. Common techniques in incident review...
Timeline reconstruction
The process of ordering digital events from multiple sources into a single chronological account. Requires normalising all timestamps to a common reference...

Explained in

  • Post-Incident Review and Lessons LearnedThe NIST SP 800-61 label for the final phase of the incident response lifecycle. It encompasses evidence retention, lessons-learned meetings, and the translati...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account