IRO-13: Root Cause Analysis (RCA) & Lessons Learned

IRO 8 — High Respond

Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.

Control Question: Does the organization incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents?

General (45)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC7.4-POF10
CIS CSC 8.1	16.3 17.8
CIS CSC 8.1 IG2	16.3 17.8
CIS CSC 8.1 IG3	16.3 17.8
ENISA 2.0	SO18
GovRAMP Low	IR-01
GovRAMP Low+	IR-01
GovRAMP Moderate	IR-01
GovRAMP High	IR-01
IMO Maritime Cyber Risk Management	3.5.6.3
ISO 27002 2022	5.24 5.27
ISO 27017 2015	16.1.6
NIST AI 600-1	MG-4.2-002 MG-4.3-001
NIST Privacy Framework 1.0	GV.MT-P6
NIST 800-53 R4	IR-1
NIST 800-53 R4 (low)	IR-1
NIST 800-53 R4 (moderate)	IR-1
NIST 800-53 R4 (high)	IR-1
NIST 800-53 R5 (source)	IR-1 IR-4(12) IR-6(2)
NIST 800-53B R5 (privacy) (source)	IR-1
NIST 800-53B R5 (low) (source)	IR-1
NIST 800-53B R5 (moderate) (source)	IR-1
NIST 800-53B R5 (high) (source)	IR-1
NIST 800-53 R5 (NOC) (source)	IR-4(12) IR-6(2)
NIST 800-82 R3 LOW OT Overlay	IR-1
NIST 800-82 R3 MODERATE OT Overlay	IR-1
NIST 800-82 R3 HIGH OT Overlay	IR-1
NIST 800-161 R1	IR-1
NIST 800-161 R1 C-SCRM Baseline	IR-1
NIST 800-161 R1 Flow Down	IR-1
NIST 800-161 R1 Level 1	IR-1
NIST 800-161 R1 Level 2	IR-1
NIST 800-161 R1 Level 3	IR-1
NIST 800-171 R2 (source)	NFO-IR-1
NIST 800-171 R3 (source)	03.06.04.b
NIST 800-218	RV.3
NIST CSF 2.0 (source)	ID.IM-02 ID.IM-03 RS.AN-03
PCI DSS 4.0.1 (source)	12.10.6
PCI DSS 4.0.1 SAQ D Merchant (source)	12.10.6
PCI DSS 4.0.1 SAQ D Service Provider (source)	12.10.6
TISAX ISA 6	1.6.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	IRO-13
SCF CORE ESP Level 1 Foundational	IRO-13
SCF CORE ESP Level 2 Critical Infrastructure	IRO-13
SCF CORE ESP Level 3 Advanced Threats	IRO-13

US (28)

Framework	Mapping Values
US C2M2 2.1	RESPONSE-3.H.MIL2 RESPONSE-3.I.MIL3
US CERT RMM 1.2	COMM:SG3.SP1 COMM:SG3.SP2
US CISA CPG 2022	1.D
US CJIS Security Policy 5.9.3 (source)	IR-1
US CMS MARS-E 2.0	IR-1
US DHS ZTCF	SEC-02
US FedRAMP R4	IR-1
US FedRAMP R4 (low)	IR-1
US FedRAMP R4 (moderate)	IR-1
US FedRAMP R4 (high)	IR-1
US FedRAMP R4 (LI-SaaS)	IR-1
US FedRAMP R5 (source)	IR-1
US FedRAMP R5 (low) (source)	IR-1
US FedRAMP R5 (moderate) (source)	IR-1
US FedRAMP R5 (high) (source)	IR-1
US FedRAMP R5 (LI-SaaS) (source)	IR-1
US FFIEC	D5.IR.Pl.Int.4
US GLBA CFR 314 2023 (source)	314.4(h)(7)
US HIPAA HICP Medium Practice	8.M.A 8.M.B
US HIPAA HICP Large Practice	8.M.A 8.M.B
US IRS 1075	IR-1
US NERC CIP 2024 (source)	CIP-008-6 3.1.1 CIP-008-6 3.1.2
US NISPOM 2020	8-101 8-103
US - NV NOGE Reg 5	5.260.4(b)
US - TX DIR Control Standards 2.0	IR-1
US - TX TX-RAMP Level 1	IR-1
US - TX TX-RAMP Level 2	IR-1
US - VT Act 171 of 2018	2447(b)(10) 2447(b)(10)(A) 2447(b)(10)(B)

EMEA (9)

Framework	Mapping Values
EMEA EU DORA	13.2 13.2(a) 13.2(b) 13.2(c) 13.2(d) 13.3
EMEA EU NIS2	23.4(d)(ii)
EMEA EU NIS2 Annex	3.6.1 3.6.2 3.6.3
EMEA Germany C5 2020	SIM-05
EMEA Saudi Arabia IoT CGIoT-1 2024	2-12-2 2-12-3
EMEA Saudi Arabia SACS-002	TPC-89
EMEA UK CAF 4.0	D2 D2.a D2.b
EMEA UK CAP 1850	D2
EMEA UK DEFSTAN 05-138	4200

APAC (5)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-1213
APAC Australia Prudential Standard CPS234	25(a)
APAC India SEBI CSCRF	EV.ST.S3 RC.IM.S1 RS.AN.S3 RS.AN.S4 RS.AN.S4a RS.AN.S4b RS.AN.S5 RS.IM.S1
APAC Japan ISMAP	16.1.6
APAC Singapore MAS TRM 2021	7.8.1 7.8.2 7.8.3 12.3.3

Americas (4)

Framework	Mapping Values
Americas Bermuda BMACCC	6.4
Americas Canada CSAG	5.9
Americas Canada OSFI B-13	2.7.3 3.4 3.4.5
Americas Canada ITSP-10-171	03.06.04.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.

Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel:
Incident responders provide After Action Review (AAR) feedback on what worked, what did not work and ways to improve future responses to similar incidents.

Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data protection and business function representatives that can perform coordinated incident response.
The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data protection response operations.
A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
The ISIRT team leader conducts a formal After Action Review (AAR) to generate a Root Cause Analysis (RCA) report that also includes lessons learned during incident response operations to improve future response actions.

Level 4 — Quantitatively Controlled

Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.

Assessment Objectives

IRO-13_A01 an After Action Reviews (AARs), or a similar process, is conducted following incidents that require escalation to an Integrated Security Incident Response Team (ISIRT), or similar integrated team of cybersecurity, IT and business function representatives, are established to address a cybersecurity and/or data privacy incident response operations.
IRO-13_A02 events that would require the current incident response policy / procedures to be reviewed / updated are defined.
IRO-13_A03 incident response documentation is updated to address necessary changes to enable the timely and effective response to incidents.
IRO-13_A04 events that initiate a review of the incident response training content are defined.

Evidence Requirements

E-IRO-08 Root Cause Analysis (RCA): Documented evidence of a Root Cause Analysis (RCA) from any Incident Response Plan (IRP)-related training, testing or incident.
Incident Response

Technology Recommendations

Micro/Small

Root Cause Analysis (RCA)

Small

Root Cause Analysis (RCA)

Medium

Root Cause Analysis (RCA)

Large

Root Cause Analysis (RCA)

Enterprise

Root Cause Analysis (RCA)