Framework Category

Incident Management

Incident Management involves executing a coordinated response once an incident is declared.

It includes validating and prioritizing reports, escalating as necessary, and applying predefined criteria to determine when to transition from response to recovery.

Implementation Questions

RS.MA-01

The incident response plan is executed in coordination with relevant third parties once an incident is declared

Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?

Automated incident reporting ensures that security events are promptly escalated without manual intervention, reducing response time and minimizing potential damage. This capability is critical for maintaining continuous security monitoring and enabling rapid incident response, especially during off-hours or when security staff are unavailable.

Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?

This question assesses whether your organization has established a relationship with an external incident response service provider that can be called upon during security incidents that exceed internal capabilities. Having a pre-established relationship with incident response specialists ensures rapid access to expertise during critical security events, potentially reducing the impact and recovery time of incidents.

Does your organization assign a designated incident lead for each security incident?

Designating a specific incident lead for each security incident ensures clear accountability, streamlined communication, and effective coordination of response activities. This role is responsible for making critical decisions, managing the incident response team, and serving as the central point of contact throughout the incident lifecycle.

Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?

During a security incident, organizations may need to activate additional response mechanisms beyond the standard incident response procedures. This includes business continuity plans to maintain critical operations, disaster recovery procedures to restore systems, or crisis communication plans to manage stakeholder communications. Having these plans ready for activation ensures a comprehensive response to incidents that may escalate beyond routine security events.

RS.MA-02

Incident reports are triaged and validated

Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?

This question assesses whether your organization has a triage mechanism to properly classify incoming security alerts or reports before allocating incident response resources. Without proper screening, teams may waste resources on false positives or non-security events, while potentially missing critical incidents that require immediate attention. Effective screening helps prioritize response efforts and ensures appropriate escalation paths are followed.

Does your organization have documented criteria for estimating the severity of security incidents?

Established severity criteria help organizations consistently evaluate and prioritize security incidents based on factors like impact to systems, data sensitivity, and business operations. Without clear criteria, incident response may be inconsistent, leading to improper resource allocation or delayed response to critical incidents.

RS.MA-03

Incidents are categorized and prioritized

Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

Categorizing security incidents by type enables organizations to apply appropriate response procedures, allocate resources efficiently, and identify patterns or trends in security events. For example, a data breach requires different response actions than a DDoS attack, and categorization ensures the right teams and procedures are activated.

Does your organization have a documented incident prioritization framework that considers scope, impact, and time-sensitivity?

An incident prioritization framework helps security teams focus resources on the most critical incidents first, ensuring efficient response to security events. The framework should evaluate incidents based on their scope (how many systems/users are affected), potential impact (financial, operational, reputational damage), and time-sensitivity (how quickly the incident must be addressed to prevent escalation).

Does your organization have a documented process for selecting incident response strategies that balance rapid recovery with investigation needs during active incidents?

This question assesses whether your organization has a formal approach to incident response that considers both the urgency of restoring operations and the potential value of monitoring attacker behavior or conducting thorough investigations. For example, immediately shutting down compromised systems may stop an attack but destroy valuable forensic evidence, while allowing limited continued access under monitoring might reveal the attacker's methods and targets.

RS.MA-04

Incidents are escalated or elevated as needed

Does your organization have a formal process to track and validate the status of all cybersecurity incidents from identification through resolution?

This question assesses whether your organization maintains continuous visibility of incident status throughout the incident response lifecycle. Effective incident tracking ensures that security events don't fall through the cracks, appropriate resources are allocated, and management has visibility into ongoing security issues.

Does your organization have a documented incident escalation procedure that defines coordination with both internal stakeholders (e.g., management, legal) and external parties (e.g., customers, regulators, law enforcement)?

This question assesses whether your organization has established clear pathways for escalating security incidents to appropriate stakeholders based on severity, impact, and regulatory requirements. Effective incident escalation procedures ensure timely notification to decision-makers, technical teams, legal counsel, affected customers, and regulatory bodies when necessary, preventing communication breakdowns during critical incidents.

RS.MA-05

The criteria for initiating incident recovery are applied

Has your organization established and documented criteria for determining when incident recovery processes should be initiated based on incident characteristics?

This question assesses whether your organization has defined clear thresholds or decision points for activating recovery procedures following a security incident. These criteria should consider factors like incident severity, systems affected, data compromise, operational impact, and recovery resource requirements. Having predefined recovery criteria ensures consistent decision-making during incidents and prevents delays in recovery actions when needed.

Has your organization assessed and documented how incident recovery activities might impact normal business operations?

This question evaluates whether your organization has analyzed how cybersecurity incident recovery procedures could disrupt day-to-day operations. For example, restoring systems from backups might require temporary service outages, isolating infected systems could impact connected business processes, or redirecting staff to incident response might delay other critical functions.