Post-Mortem Review Meeting

D.

A post-mortem review meeting should be held with all involved parties within three to five working days of completing the investigation of the intrusion.

Otherwise, participants are likely to forget critical information.

Even if it enabled an organization to validate the correctness of its chain of custody of evidence, it would not make sense to wait until prosecution is complete because it would take too much time and many cases of intrusion never get to court anyway.

Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (page 297).

A post-mortem review meeting is typically held after a security incident has been successfully resolved. The purpose of this meeting is to review the incident, identify any weaknesses in the security system or procedures, and develop recommendations for improving security and preventing similar incidents in the future.

Of the options provided, option D is the most appropriate answer. The post-mortem review meeting should be held within the first week of completing the investigation of the intrusion. This is because the incident will still be fresh in the minds of those involved, and it is important to identify and address any weaknesses in the security system or procedures as soon as possible. Waiting too long can lead to important details being forgotten or overlooked.

Option A is too vague and does not provide a specific timeline for the post-mortem review meeting. Waiting three months after the investigation is completed may be too long and could allow for similar incidents to occur in the meantime.

Option B is also not ideal, as the prosecution of intruders is not always possible, and even if successful, it may take longer than a week to complete. Additionally, the focus of the post-mortem review meeting should be on improving security and preventing future incidents, rather than on the outcome of the legal process.

Option C is closer to the correct answer than option A, but still does not provide as specific a timeline as option D. Waiting a month after the investigation is completed may be too long, and important details may be forgotten or overlooked by that point.

In summary, the best answer is D. A post-mortem review meeting should be held within the first week of completing the investigation of the intrusion to ensure that any weaknesses in the security system or procedures are identified and addressed as soon as possible.