Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

09) Does your organisation conduct a root cause analysis for all information security incidents that are reported?

January 30, 2023
Business Resilience
Root Cause Analysis

Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Please provide a template root cause analysis document (as a PDF file) as evidence.

Root cause analysis is the final phase of incident response and should be conducted after (or alongside) identification, containment, control and recovery.

It helps you to understand why something happened and what action you need to take to prevent something similar happening again in future.

How to implement the control

The key to root cause analysis is to ask what exactly happened and why did it happen?

For example, a security incident involving an exploit of a known vulnerability on one of your systems would cause you to look at your patch management, which may cause you to look at your asset management, which may cause you to look at your service introduction or change management etc.

A root cause analysis for this example incident might go something like:

  • Why did the system not have the latest security patch applied? The software is not listed in our patch management system.
  • Why? The patch management system is fed by our asset management system and the software in question is not listed in our asset management system.
  • Why? The software did not go through the usual service introduction process.
  • Why? It was requested by a senior person who gave the approval to bypass the process.
  • Why? They said the process would take too long and they needed the software urgently.

Repeatedly asking 'why' in this way can help you understand the root causes which led to the incident and make the changes required to prevent them from happening again in future. In this example, you may choose to review and improve your service introduction process, to run regular discovery scans looking for unapproved software, to improve security awareness with senior staff members etc.

An incident may have several contributing factors, all of which could warrant remedial action. Once you have conducted your root cause analysis, you should prioritise, plan and execute any remedial actions.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.