Organizations need to conduct to an impact assessment, root cause analysis and post-incident review to understand the impact of a security incident.
To manage risk effectively, organizations, boards of directors, business units and information security teams all need to balance risk and reward. Impact assessment is a crucial component of assessing risk.
Incomplete or inaccurate impact assessment undermines the organization’s ability to understand the risk it faces. Without understanding potential impact, organizations are likely to accept unnecessary risk or waste money on unnecessary mitigation. A clear view of impacts can be used to set the priorities and the sequence for risk mitigation activity, such as controls, staffing levels and awareness programs.
Not all organizations are aware of the value that can be derived from impact assessment, or aware that it can be used as a positive tool rather than simply an assessment of failure. In addition, impact assessments can be complex and time intensive, putting pressure on staff that some think would be better used for day-to-day operations.
The Root of the Problem
A root cause analysis needs to be performed to determine the cause of the incident. The output from the analysis can be used to identify recommendations. Investigation must consist of a detailed analysis, and be performed in depth to confirm that a complete and reliable picture emerges. That is, the findings must be root causes and not symptoms, a distinction that should be evident to the investigator.
While a root cause analysis provides value, the cost of performing one can’t be justified for every incident. Organizations should use a consistent triage process to determine whether an incident merits a root cause analysis. Forming the right team for the root cause analysis is a critical step. The quality of output from root cause analysis techniques is dependent on the investigators’ knowledge and skills. Only by ensuring that the correct combination of expertise is available will it be possible to establish the true root cause.
Organizations need to effectively communicate the findings to relevant stakeholders so they can be validated and acted upon. The findings should be presented in a format that is relevant to your organization. And the report should include the findings of the root cause analysis along with an overview of the incident.
Organizations should also be constantly looking for ways to respond to developments and improve risk management by learning from previous incidents. Post-incident review can help organizations accomplish this more effectively with information about all of the information risk processes previously described, thus helping organizations get to the cause of incidents and providing valuable information about gaps and deficiencies in their processes.
The post-incident review’s value is clear. The output from the post-incident review can improve the information risk assessment process by providing comprehensive data to inform future decisions. Post-incident review produces information about threats, risks and impacts that is accurate, current and linked directly to the incident, the organization and its operations. Organizations that do not perform post-incident review are most likely incurring unnecessary costs and accepting inappropriate risks.
Risk management is incomplete without impact assessment, root cause analysis and post-incident review. Without a proper understanding of what happened, why it happened and its impact, organizations can't fully understand or manage the risk. These key steps enable organizations to improve their processes and prevent recurrence of incidents. As a result, a security incident can be transformed from a potential or actual disaster into an opportunity, the benefits of which will emerge over the long term.
About the Author
Steve Durbin is Global Vice President of the Information Security Forum, an independent, not-for-profit association of leading organizations from around the world.