A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve the organization`s security posture. The team has been specifically tasked to address logical controls in their suggestions. Which of the following would be MOST beneficial to include in lessons learned documentation? (Choose two.) 

Answer options:

A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use
B. Recommendations relating to improved log correlation and alerting tools
C. Data from the organization`s IDS/IPS tools, which show the timeline of the breach and the activities executed by the attacker
D. A list of potential improvements to the organization`s NAC capabilities, which would improve AAA within the environment
E. A summary of the activities performed during each phase of the incident response activity
F. A list of topics that should be added to the organization`s security awareness training program based on weaknesses exploited during the attack

AF