Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Security Operations/ SEC10 Security Incident Response/ SEC10-05 Establishing a Review Mechanism
Updated on 2025-05-22 GMT+08:00
View PDF
Share

SEC10-05 Establishing a Review Mechanism

It helps the team learn from past security incidents and improve future security measures.

  • Risk level

    Medium

  • Key strategies
    1. Determine the purpose: It is important to specify the purpose before the review. Determine what you want to learn from this security incident and how to improve future security measures.
    2. Collect facts and data: Collect all information and data related to the security incident. Use the 5W2H method to sort out the incident, including the time, place, owner, process, cause, and impact of the incident.
    3. Set up a review team: Invite related team members and stakeholders to participate in the review. Ensure that representatives of all key domains are covered, such as technical personnel and security operations personnel.
    4. Analyze the root cause: Trace the event result to analyze the root cause of the event. Ask "why" more often to find out the root cause of the event. This helps to avoid similar events in the future.
    5. Identify errors and deficiencies: Identify errors and deficiencies that occur during security incidents. This includes technologies, processes, and personnel.
    6. Develop improvement measures: Develop specific improvement measures and action plans based on the review results. These measures include people, processes, and technologies. Ensure that these measures are feasible, specific, and can effectively solve problems.
    7. Implement improvement measures: Implement the improvement measures and monitor the implementation. Ensure that all relevant personnel understand and comply with these improvement measures.
    8. Regular review and update: Regularly review the results and the implementation of improvement measures, and update and adjust them as required. Continuous improvement is a lasting process.
    9. Documentation and sharing: The review results and improvement measures are recorded and shared within the team. This helps ensure that everyone can learn from it and avoid similar errors from happening again.
    10. Training and awareness improvement: Ensure that team members understand the importance of security incident review and are able to actively participate in the review.