Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?
Explanation
Categorizing security incidents by type enables organizations to apply appropriate response procedures, allocate resources efficiently, and identify patterns or trends in security events. For example, a data breach requires different response actions than a DDoS attack, and categorization ensures the right teams and procedures are activated.
Evidence of fulfillment could include a documented incident classification taxonomy or matrix showing different incident types with their definitions, severity levels, and required response actions. This could be part of a larger incident response plan or a standalone classification document used by the security operations team.
Implementation Example
Further review and categorize incidents based on the type of incident (e.g., data breach, ransomware, DDoS, account compromise)
ID: RS.MA-03.314
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incidents are categorized and prioritized
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?

