Cybersecurity incident root-cause analysis is performed and corrective actions are taken, including updates to the incident response plan
Context and Guidance: This might involve conducting a formal examination of the causes of the incident, the ways in which the organisation responded to it, and the administrative, technical, and physical control weaknesses that may have allowed the incident to occur. The organisation can employ commonly available techniques (such as cause-and-effect diagrams) to perform root-cause analysis as a means of potentially preventing future incidents of similar type and impact. Any needed improvements identified through these activities should be made, such as updating the incident response plan or adjusting protection strategies and controls. This type of analysis may also identify higher-level issues within the organisation and result in changes to activities in other domains, such as the cyber risk strategy, vulnerability management procedures, or the threat analysis process. Note that the terms root-cause analysis and corrective action are used in the common, general sense and not as related to definitions used in any specific regulation or guideline. Exceptions to policies implemented during response to an incident should be reviewed following recovery for their impact to the cybersecurity control environment (i.e., moving control center operations from on-site only to remote) Procedures for managing exceptions should include requirements for evaluating changes following return to normal operations including whether changes should remain in place. Additional scrutiny may be valuable for specific change types such as new devices, new applications and changes to access permissions.
Related Practices • Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: RESPONSE-3a, RESPONSE-3d, RESPONSE-3f, RESPONSE-3g, RESPONSE-3h, RESPONSE-3i. • The practices in the second progression include: RESPONSE-3b, RESPONSE-3e, RESPONSE-3h, RESPONSE-3i, RESPONSE-3l.