Does your organization categorize security incidents according to established incident response plans?
Explanation
Incident classification is the focus here, asking whether you categorize security incidents according to the categories defined in your incident response plans. Proper categorization ensures appropriate response procedures are followed based on incident type, severity, and impact (e.g., data breach, malware infection, denial of service).
Evidence could include your incident response plan with clearly defined incident categories, incident classification criteria, incident handling procedures for each category, and sample incident tickets or reports showing how actual incidents were categorized according to the plan.
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Incidents are categorized consistent with response plans
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

