When assembling an incident response team, it’s worth including someone whose job is to take notes. It might seem like a small point, but it’s a big help for communicating during a breach, and learning lessons afterwards.

Maybe it’s because I write things down for a living, but for me, that was one of the key takeaways from Brian Honan’s presentation at Dublin Information Sec 2018 this week. “Have someone on your team who is a scribe, who will take notes of timelines, of who did what, and who will brief senior management about what’s happening,” he said.

All the president’s men

Brian made the remarks during a presentation about how to manage data breaches in light of GDPR’s stringent reporting regime. Organisations that suffer a breach involving personal data must report it to the designated data protection authority within 72 hours. Such a tight timeframe puts incredible pressure on incident response teams. It’s important to plan ahead, and identify the key roles and responsibilities in advance. The team could include specialists in data protection, information security, operations, human resources, legal, public relations and facilities management.

The designated note-taker can be an invaluable buffer between the technical teams scrambling to investigate the incident, and management who will want regular progress reports. Without that buffer, the need for regular updates might distract the investigation team from their work. Accurate notes can form the basis of open communication to an organisation’s staff, customers, media or other stakeholders. “Communicate throughout every part of this process,” Brian said.

Total recall

Having contemporaneous notes also provides a valuable record for when it’s time to take a fresh look at what happened. “Always review and measure, see where you can improve and how you can make things better,” Brian said.

He recommended conducting a review within 24 hours of an incident. That’s the ideal timeframe because memories fade – we’re only human after all. The longer the time lag between the incident and the review, the less reliable everyone’s recollection will be. But if the review stage is postponed for any reason, good notes are the next best thing.