Impact assessment, root cause analysis, and recommendations

Nov 21, 2012 21:01 GMT  ·  By

The Information Security Forum (ISF), a global organization that focuses its efforts on information risk management and cyber security, has released a report called “You could be next.”

The new report is designed to help organizations implement post-incident review capabilities with focus on three key steps: impact assessment, root cause analysis and recommendations.

The ISF has found that although the immediate costs of a data breach are easy to determine, not the same thing can be said about the long-term or intangible costs.

Experts reveal that in many cases organization are highly capable of handling cyber security incidents, but few of them have a “mature” and “structured” approach when it comes to analyzing the causes of the breach. Ultimately, this leads to unnecessary costs.

“Without a proper impact assessment, businesses don’t know the incremental, long-term or intangible costs of an incident – but those costs still hit the bottom line, costing the organization money,” said Michael de Crespigny, CEO of the ISF.

“Utilizing our You Could Be Next Report, executives can better understand how to respond more quickly and develop the resilience needed to survive the impacts from today’s complex security threats.”

One important thing organizations must remember is that risk management is incomplete without a proper post-incident review. Furthermore, security incidents cost more than is immediately apparent, although in many cases this is unknown to affected companies.

Despite the fact that post-incident review is mandatory to ensure that future breaches are avoided, in practice, this is the weakest part of incident management.

Another noteworthy finding of the “You could be next” report is that even if an incident has a major impact, its causes are not necessarily proportional.

The “You Could Be Next” report is available free of charge to ISF members. Non-members can purchase a copy by contacting Steve Durbin at [email protected].