Publisher Summary The closure phase takes action against the causes of the incident and helps the organization learn from it to improve processes and procedures. After a data security incident, the organization should hold one or more lessons learned sessions to review how effective the incident management process was, and to identify necessary improvements to existing policies, processes, controls, awareness and training, risk analysis, and other organizational practices. The post incident review process should be conducted after sufficient time has elapsed after the incident has taken place and been resolved, to provide a more objective view of the effectiveness of the response and communication. Any relevant lessons learned should be included in the revised data security and incident response plans for reference, and the updated documents should be communicated to all relevant personnel. The response team should develop a procedure by which it can analyze and measure the direct and indirect costs associated with a data breach incident, in order to determine the value of the information and assets that were lost. Among the most measurable costs in dealing with the incident are direct personnel costs, including the time of response team members as well as others who participated in the response. Loss in the form of decreased productivity can be tabulated by considering the number of employees who were prevented from working or experienced a slowdown in work because of the incident. A major consideration when considering revenue loss is the opportunity cost of customers terminating or modifying their relationship with the organization, and the attendant impact on future business.