Principle: D2 Lessons Learned
When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.
Incidents represent opportunities to improve your overall cyber resilience as part of lessons learned. It is important that organisations understand why the incident happened and, where appropriate, take steps to prevent the issue from recurring. The aim should be to address the root causes or to identify systemic problems, rather than to fix a very narrow issue. For example, to address the organisation’s overall patch management process, rather than to just apply a single missing patch.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.
Guidance
- The 10 Steps: Incident Management section emphasises the need for post-incident lessons learned exercises to drive organisational improvements. The Safety 2 approach is referenced, highlighting the need to not only focus on what went wrong but also look for successful elements of the incident response and examine why it worked well.
- An organisation’s security culture is vital when looking at learning lessons from incidents. You shape security contains useful guidance on how organisations can build and maintain dialogues with staff, ensuring both that multiple perspectives on incidents are properly captured and that the lessons are learned and implemented effectively.
Further information
- It is important to be aware that some organisations may use NIST’s Computer Security Incident Handling Guide which is detailed guidance on incident response, covered in principles D1 and D2.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.