After Action Review (AAR) Template
Focus: Highlighting and tracking improvement ideas and tasks derived from the incident using the 5 Why’s model to identify root causes and solutions.
1. Incident Summary
Purpose: Briefly summarize the incident (e.g., type, impact, and resolution). Avoid detailed technical descriptions.
Example:
Incident Type: Phishing attack.
Impact: Unauthorized access to a user’s email account.
Resolution: Account access revoked, credentials reset, and communication logs reviewed.
Root Cause Analysis Using the 5 Why’s
Purpose: Understand the underlying causes of the incident to inform effective improvement actions.
Question | Response |
Why did the incident occur? | A user clicked a malicious link in a phishing email. |
Why did the user click the link? | The email appeared legitimate and mimicked an internal request. |
Why did the email bypass filters? | The email filters lacked rules for detecting this specific pattern. |
Why were the filters insufficient? | Rules were not updated to address evolving phishing tactics. |
Why were updates not made? | There is no process for routinely reviewing and updating filters. |
3. Improvement Areas
A. Improved Security Controls
Goal: Identify and track actionable security control enhancements to prevent or detect similar incidents in the future.
Improvement Idea | Root Cause (5 Why’s) | Owner | Priority | Target Completion Date | Status |
Enhance email filtering systems | Filters not updated to detect evolving phishing tactics. | IT Security | High | [Insert Date] | [Open/In Progress/Completed] |
Deploy AI-based threat detection | Lack of advanced detection for phishing anomalies. | IT Security | Medium | [Insert Date] | [Open/In Progress/Completed] |
B. Process Improvements
Goal: Refine response processes, including technical implementations, personnel training, and procedural updates.
Improvement Area | Root Cause (5 Why’s) | Owner | Priority | Target Completion Date | Status |
Regularly update email filters | No process for filter updates. | Incident Manager | High | [Insert Date] | [Open/In Progress/Completed] |
Conduct phishing simulation training | Users not trained to recognize phishing emails. | Training Team | Medium | [Insert Date] | [Open/In Progress/Completed] |
Automate response for suspicious emails | No automated systems to quarantine threats. | Automation Lead | High | [Insert Date] | [Open/In Progress/Completed] |
4. Task Tracking Overview
Purpose: Consolidate all identified improvements and tasks into a clear action plan.
Task | Improvement Area | Root Cause (5 Why’s) | Owner | Priority | Target Completion Date | Status |
[Task Name] | [Security Control/Process Area] | [Root Cause Description] | [Owner Name] | [Priority] | [Date] | [Status] |
5. Lessons Learned
Purpose: Document key takeaways to inform future practices.
What worked well:
Example: Quick containment of the incident by the IT team.
Areas for improvement:
Example: The need for more robust phishing awareness training.
6. Review and Next Steps
Next Steps: Summarize the immediate actions required to address the identified improvement areas.
Follow-Up Date: [Insert Date for Follow-Up Review]
Comments