An incident response team functions in much the same way that a fire department does. Both teams take time to prepare themselves with training on their respective techniques, tools, and practices, and they can respond at a moment's notice to a fire or an incident. During their response to a fire, the firefighters take notes and record their actions, ensuring that critical decisions are documented and that individual contributions are noted. Once the fire is out, they sift through the debris to determine what the causes and origins of the fire were. Once the proper documentation has been prepared, the fire department conducts an after-action review in order to critique their performance and find avenues for improvement. Other reports allow fire departments and safety experts to update building codes and improve the survival of structures should a fire break out.

Incident response teams utilize much of the same workflow. During an incident, notes are taken and actions recorded. Evidence is obtained from systems and maintained in a forensically sound manner. A root cause analysis is conducted utilizing the notes, observations, and evidence obtained during the incident. This root cause analysis is utilized by information technology personnel to patch up vulnerabilities and further harden systems. Finally, the team conducts its own after-action review where the series of events is laid out and critiqued so that the team may improve their processes, their tools, and their techniques, as well as making any corrections to the incident response plan.

To maximize the benefits of the root cause analysis and after-action brief, incident responders will need to ensure that all of their actions are recorded in the proper fashion. They will also be required to prepare several documents that senior leaders and decision makers will use when considering the future state of the IT infrastructure. To better prepare responders to craft the necessary documentation, the following topics will be addressed:

• Documentation overview: This overview will cover the various elements of preparing reports, including what data to capture, the audience that will review the reports, and the sources that responders can draw upon in crafting incident documentation.
• Incident tracking: For organizations that conduct a routine response to incidents, tracking software is useful in capturing actions and relevant data. In this case, the Fast Incident Response (FIR) tracking system will be explored.
• Written reports: Depending on the severity or complexity of an incident, a written report will be prepared. By crafting a well-written and thoughtful report to senior managers and external stakeholders, incident responders can provide these key decision makers with an accurate picture of what happened and how to prevent it in the future.