freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Should risk management planning include root cause analysis?

Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?

It's been advocated that enterprises work root cause analysis into a risk management plan. This sounds like an extra step in the already lengthy security audit process. What are the benefits of root cause analysis and is it really effective enough to work into my organization's security plan?

Root cause analysis (RCA) answers four basic questions: What happened? How did it happen? Why did it happen? And what can be done to prevent it from happening again? These questions are typically asked after an incident. A risk management plan defines the process of planning, organizing, leading and controlling the activities of an organization in order to minimize the risks to the organization.

Incident response plans (IRPs) provide an organized approach to addressing and managing the aftermath of a security breach or attack. A key component of the IRP is "lessons learned" where the IRP team analyzes the incident and how it was handled, making recommendations for better future response and for preventing a recurrence. This requires a closer look at what, how and why the incident occurred. Security teams are then able to determine what steps are required to prevent the incident from happening again. This process should include a root cause analysis.

Including the RCA in the risk management plan could be beneficial, but if the chief information security officer is to focus on information security risk the RCA is best included in the IRP.

IRPs are most effective when they result from the RCA and when viable incident scenarios are tested to ensure the IRP team can expertly manage actual incidents when they occur.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out some expert advice on creating a security risk management plan

This was last published in August 2015

Dig Deeper on Information Security Incident Response-Information