Does your organization have documented criteria for estimating the severity of security incidents?
Explanation
Established severity criteria help organizations consistently evaluate and prioritize security incidents based on factors like impact to systems, data sensitivity, and business operations. Without clear criteria, incident response may be inconsistent, leading to improper resource allocation or delayed response to critical incidents.
Evidence could include a documented incident severity matrix or scoring system that defines different severity levels (e.g., critical, high, medium, low) with specific criteria for each level, such as number of affected systems, type of data compromised, or operational impact thresholds.
Implementation Example
Apply criteria to estimate the severity of an incident
ID: RS.MA-02.313
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incident reports are triaged and validated
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

