According to the CyberOps Technologies (CBRFIR) 300-215 study guide, during the post-incident

activity phase, it is critical to analyze lessons learned and update processes to ensure quicker and

more efficient response in the future. Specifically:

Introducing a priority rating for incident response workloads (A) helps address the issue of team

members being occupied with other tasks and unable to prioritize abnormal system activity. This

ensures incidents are handled based on severity, not just workload.

Creating an executive team delegation plan (D) addresses the issue of delays due to unavailability of

management for approvals. It ensures alternative decision-makers are available for swift action.

These strategies are based on the NIST SP 800-61 Rev. 2 recommendations and are highlighted in the

Cisco guide’s post-incident activity phase (page 418), which emphasizes lessons learned and how to

reduce detection and response times for future incidents.

Reference: CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter: Dealing with Incident

Response, Post-Incident Activity, page 418.