One final consideration when preparing documentation is who will read an incident report versus a detailed forensic report. In general, the following are some of the personnel both internal and external to an organization that may read the reports associated with an incident:

• Executives: High-profile incidents may bring the attention of the CEO or CFO, especially if they involve the media. The executive summary may suffice, but do not be surprised if the senior leadership requires a more detailed report and briefing during and at the conclusion of an incident.
• Information technology personnel: These individuals may be the most interested in what the incident response analysts have found. Most likely, they will review the root cause analysis and remediation recommendations very seriously.
• Legal: In the event that a lawsuit or other legal action is anticipated, the legal department will be examining the incident report to determine if there are any gaps in security or the relevant procedures for clarification. Do not be surprised if revisions have to be made.
• Marketing: Marketing may need to review either the executive summary or the incident report to craft a message to customers in the event of an external data breach.
• Regulators: In regulated industries, such as healthcare and financial institutions, regulators will often review an incident report to determine if there is potential liability on the part of the organization. Fines may be assessed based upon the number of confidential records that have been breached, or if it appears that the organization was negligent.
• Law enforcement: Some incidents require law enforcement to become involved. In these cases, law enforcement agencies may require copies of incident and forensics reports for review.
• Outside support: There are some instances where the need to bring in outside forensics or incident response support becomes necessary. The existing reports would go a long way in bringing these individuals up to speed.

Understanding the audience gives incident response analysts an idea of who will be reading them. Understand that the report needs to be clear and concise. In addition, technical details may require some clarification for those in the audience that do not have the requisite knowledge or experience.