Does your organization require incident leads to document security incidents in detail and maintain the integrity of all incident documentation and information sources?
Explanation
Defensible incident records are the focus here, covering whether incident leads are required to document events in detail and preserve the integrity of all documentation and sources.
Proper documentation by a designated incident lead ensures accountability, provides a reliable record for post-incident analysis, and supports potential legal or compliance requirements. It also helps maintain consistency in how incidents are recorded across the organization.
Evidence could include an incident response policy document that explicitly assigns documentation responsibilities to incident leads, incident report templates that include fields for documenting information sources, or completed incident reports showing proper documentation practices with chain of custody maintained.
Implementation Example
Require the incident lead to document the incident in detail and be responsible for preserving the integrity of the documentation and the sources of all information being reported
ID: RS.AN-06.326
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

