Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
Explanation
Root cause analysis goes beyond addressing the immediate symptoms of a security incident to identify the fundamental, systemic issues that allowed the incident to occur.
This process helps prevent similar incidents in the future by addressing underlying vulnerabilities in technology, processes, or human factors rather than implementing superficial fixes.
Effective root cause analysis typically involves methodologies like the '5 Whys' technique, fishbone diagrams, or fault tree analysis to trace the incident back to its origins.
Evidence of fulfillment could include documented root cause analysis reports from past incidents, a formal incident response procedure that includes root cause analysis steps, or post-incident review templates that specifically address systemic causes rather than just immediate technical fixes.
Implementation Example
Analyze the incident to find the underlying, systemic root causes
ID: RS.AN-03.323
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Analysis is performed to establish what has taken place during an incident and the root cause of the incident
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?
- Does your organization categorize security incidents according to established incident response plans?

