When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.
Incidents represent opportunities to improve your overall cyber resilience as part of lessons learned. It is important that organisations understand why the incident happened and, where appropriate, take steps to prevent the issue from recurring. The aim should be to address the root causes or to identify systemic problems, rather than to fix a very narrow issue. For example, to address the organisation's overall patch management process, rather than to just apply a single missing patch.
The following requirements are placed on government departments:
The 10 Steps: Incident Management section emphasises the need for post-incident lessons learned exercises to drive organisational improvements. The Safety 2 approach is referenced, highlighting the need to not only focus on what went wrong but also look for successful elements of the incident response and examine why it worked well.
An organisation’s security culture is vital when looking at learning lessons from incidents. You shape security contains useful guidance on how organisations can build and maintain dialogues with staff, ensuring both that multiple perspectives on incidents are properly captured and that the lessons are learned and implemented effectively.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.
OFFICIAL