Get startedGet started for free

Elements of successful documentation

1. Elements of successful documentation

In cloud security, recording your findings is just as important as actually responding to an issue or incident. When you document and communicate your findings, you help others understand the security situation. In this video, you’ll learn more about documentation fundamentals, the important elements of documents, and useful information to include. You’ll also consider a few tips to help you write clear and impactful documents. Impactful documentation plays a huge role in incident management and investigation. Documentation helps to improve communication with your team, encourages accurate decision-making, and supports the continuous improvement of your organization. To have impact, documentation must be accurate, clear, consistent, and timely. Documentation with these qualities is foundational to the incident management process. Although documentation can take many forms, there are specific elements that help security operations teams respond to incidents. Those elements are incident summaries, timelines, technical findings, actions taken, lessons learned, and recommendations for improvement. Not every document has all of these elements, but security operations teams do consider all of these elements during the incident response and management process. Now, let’s review each element and uncover why they’re a part of the incident response process. The incident summary is where you include a quick overview of the incident, including information about how the incident occurred, its severity, and any other relevant context. The incident summary exists so a security operations professional can quickly learn the highlights of an incident and focus on what’s important. After the summary in a document, there’s typically a section with details about the evidence that prompted the incident response process. This detailed information provides context and understanding of why the incident occurred. This information includes a timeline of events and any technical findings. Examples of technical findings include information such as misconfigurations of cloud settings; evidence of impact, like security logs, system logs, or artifacts; and evidence of a security breach, also known as indicators of compromise. After the timeline and technical findings have been presented, the next documentation element typically describes the team’s actions. This is an opportunity for the team to document what they did to mitigate the damage caused by the incident, and provide lessons learned for the future. When describing the team’s actions, pre-defined processes or automated responses, also known as playbooks, are included in the document. Incident documentation typically ends with lessons learned from the security incident, and what should be done so it doesn’t happen again. To document lessons learned, the team would have reviewed the incident to understand and record what went well and what caused the incident. Then, based on their review, the team suggests actions to take that will lead to future improvements. Now that you understand documentation elements, here are some tips to keep in mind when you work on incident response documentation. You should provide actionable information. To do that, use clear, concise, and objective language. By writing objectively and using unbiased information, you can ensure the documentation is an accurate resource for the team. Another tip is to maintain a consistent format and structure across all documents. This ensures the documents are easier for all team members to understand. When working through an incident, it’s important to encourage collaboration and communication with your team. You should use consistent language, set clear expectations, and communicate in secure collaboration spaces. And finally, you need to store information in a secure location. This ensures the integrity of your documentation. With these documentation elements and best practices, you’ll be well on your way to creating comprehensive and impactful documentation for your security operations incident investigations.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.