During a weekend ransomware attack, multiple file servers and an on-prem email cluster were encrypted. By Monday morning, operations are partially restored, and you, as the incident response lead, must submit an executive-level incident report before senior management meets with regulators. The vice president of legal says the board needs to "clearly understand how far the attackers got" before deciding on public disclosure. Given this objective, which single section of the report deserves the greatest level of detail to communicate the incident's scope?
Root cause analysis outlining the initial compromise vector
Chronological timeline of containment and recovery actions
Inventory of affected systems, data classifications, and business processes
Mean time to detect and mean time to respond metrics for the incident
A comprehensive inventory of the affected systems, data classifications, and business processes is the clearest way to convey the breach's scope. Listing every compromised server, application, and dataset shows how deeply the attacker penetrated, the sensitivity of the information at risk, and which business units are impacted. Root-cause details, containment timelines, and MTTR/MTTD metrics are valuable, but they describe how or when the incident happened and how quickly you reacted-not the breadth of what was actually compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to include systems and data affected in an incident response report?
Open an interactive chat with Bash
What steps can be taken to identify which systems and data were affected during a breach?
Open an interactive chat with Bash
How does identifying affected systems and data help in the containment and recovery phases?