Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
Explanation
Incident triage is what's assessed: whether you have a process to screen and validate incoming reports to confirm they are cybersecurity-related before invoking full response.
Without proper screening, teams may waste resources on false positives or non-security events, while potentially missing critical incidents that require immediate attention. Effective screening helps prioritize response efforts and ensures appropriate escalation paths are followed.
Evidence could include a documented incident triage procedure, a decision tree for incident classification, screenshots of a ticketing system showing initial assessment fields, or examples of incident intake forms with preliminary assessment criteria.
Implementation Example
Preliminarily review incident reports to confirm that they are cybersecurity-related and necessitate incident response activities
ID: RS.MA-02.312
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incident reports are triaged and validated
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have documented criteria for estimating the severity of security incidents?
- Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

