DE.AE-08.306

Has your organization established and documented incident criteria that are used to determine when an activity should be declared as a security incident?

Explanation

This question assesses whether your organization has defined clear parameters for classifying security events as incidents requiring formal response. Effective incident criteria should include thresholds for impact, urgency, and scope that help security teams consistently determine when to escalate an event to incident status based on both known characteristics and reasonable assumptions about the activity. Evidence could include a documented incident classification matrix or decision tree that outlines specific criteria for incident declaration, severity levels, and examples of what constitutes different types of security incidents. This document should be part of your incident response plan and accessible to all security team members.

Implementation Example

Apply incident criteria to known and assumed characteristics of activity in order to determine whether an incident should be declared

ID: DE.AE-08.306

Context

Function: DE: DETECT
Category: DE.AE: Adverse Event Analysis
Sub-Category: Incidents are declared when adverse events meet the defined incident criteria

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub