10.6. Reporting the Incident

The last part of the incident response plan is reporting the incident. The security team should take notes as the response is happening and report all issues to organizations such as local and federal authorities or multi-vendor software vulnerability portals, such as the Common Vulnerabilities and Exposures site (CVE) at http://cve.mitre.org/. Depending on the type of legal counsel an enterprise employs, a post-mortem analysis may be required. Even if it is not a functional requirement to a compromise analysis, a post-mortem can prove invaluable in helping to learn how a cracker thinks and how the systems are structured so that future compromises can be prevented.