In my current position in IT, I generally ask/answer the same questions for every security incident, regardless if the event is on the digital or physical front. By compiling a set of standardized queries, one can form a general attack plan in the chance of a breach or threat; this can help manage resources quickly, as every second counts immediately following an exposed or penetrated asset. Below are some of the questions I use in my ‘Incident Form.’

Date of Incident?

Date of Initial Detection?

Intruder’s Target?

Intruder’s Origination?

What Happened?

How It Happened

Initial Discovery?

Event Timeline?

Threat Level?

Suggested Steps?

Research/Communication?

Completed Actions?

Pending Actions?

By answering each of these questions, I can then create my ‘Full Incident Report Form,’ which typically is around 10-15 pages of detailed data regarding every possible source or contributing factor in the security breach. Included in my full report is the complete ticket timeline of the event, starting at the identification of the breach/vulnerability to the full resolution of the problem. By adding each ticket with the author, steps involved, date and time, as well as the priority level, I can formulate a comprehensive and detailed incident report. Proper documentation leads to proper error resolution, now, and into the future; this is due to being able to follow the same procedure used for past security events for future issues.

While each situation is different, the basic framework one should follow in a physical security incident should be somewhat similar. One needs to find out what happened, why it happened, what the potential risks are, what the proposed solution is, and what everything is going to cost in terms of resources and personnel; by establishing these answers, one can efficiently update upper management on the status of the task during each phase.