Perform root cause analysis on incidents to determine underlying causes.
Examine the causes of the event or incident and how your organization responded to it. Look at the administrative, technical, and physical control weaknesses. These may have allowed the incident to occur. Use available practices, such as cause-and-effect diagrams, to perform root-cause analysis. This will prevent future similar incidents. After incidents are resolved, conduct reviews and capture lessons learned. Make improvements based on the outcomes of these activities, such as updating plans or controls. Example You are in charge of IT operations for your company. As part of your role, you manage incident response. After incidents are resolved, you and your team conduct a root cause analysis. Doing this analysis helps you determine the underlying causes of declared incidents. Based on what you learn from the analysis, you can make changes to your network to prevent similar incidents.
CERT RMM V1.2 Post-incident review is a formal part of the incident closure process. The organization conducts a formal examination of the causes of the incident and the ways in which the organization responded to it, as well as the administrative, technical, and physical control weaknesses that may have allowed the incident to occur. Post-incident review should include a significant root-cause analysis process. The organization should employ commonly available techniques (such as cause-and-effect diagrams) to perform root-cause analysis as a means of potentially preventing future incidents of similar type and impact. Considerations of other processes that may have caused or aided the incident should be given, particularly as they may exist in processes such as change management and configuration management.
NIST SP 800-53 Rev 4 AU-2
NIST CSF v1.1 DE.AE-2
CERT RMM v1.2 IMC:SG5.SP1
IR.2.097.[a] the organization has a post-incident response activity; and
IR.2.097.[b] the organization determines the root cause of incidents.