Research, ideas, and leadership for a more secure, peaceful world

Reports & Papers

How to Stand Up a Major Cyber Incident Investigations Board

Download
Published: June 2022

Author
Victoria Ontiveros

Author
Tarah Wheeler

Author
Adam Shostack

Related Programs

Photo of the inside of a computers seen on Feb 23, 2019, in Jersey City, N.J. A global computer chip shortage has made it harder for consumers to get their hands on cars, computers and other modern-day necessities. 
The inside of a computer is seen on Feb 23, 2019, in Jersey City, N.J. A global computer chip shortage has made it harder for consumers to get their hands on cars, computers and other modern-day necessities. 

A Guide for Independent Organizations and State and Local Governments to Develop a Sustainable Mechanism for Investigating and Drawing Lessons-Learned from Cyber Incidents Both in the Immediate Aftermath of a Cyber Incident and Long-Term

Introduction

The goal of this document is to provide guidance for any organization that wishes to set up an independent cyber incident review board. The document serves as a blueprint for an independent review board which may be needed by private or public organizations, such as municipalities, counties, hospitals, utilities, or other organizations that anticipate experiencing cyberattacks and wish to maximize their learning from them. We offer considerations and analysis throughout the document to present alternative options and insights. An organization such as a think tank, local or federal government agency, university, or other non-profit organization may also set up a MCIIB. Such a Board would conduct investigations of major cybersecurity incidents and deliver a report outlining the sequence of events, contributing factors, and recommendations for security practices.

There are three major stages of an investigation: Opening, Technical Investigation, and Board Review.

This document explains how to stand up a board, the tradeoffs which can be made, and the effects of those tradeoffs. We are also aware that investigations are often triggered by crises, and thread guidance for that scenario throughout the document.

See the attached PDF for the complete paper.

The latest from Belfer
See more
Recommended citation

Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” June 2022

Up Next
Network engineer, motherboard and server room for internet infrastructure and lights of computer. Hands, IT support and cybersecurity with neon, software and company information for cloud computing
Reports & Papers

Cybersecurity Strategy Scorecard

by Fred Heiding, Alex O'Neill and Lachlan Price

From Defense, Emerging Technology, and Strategy