Does your organization have a documented process for selecting incident response strategies that balance rapid recovery with investigation needs during active incidents?
Explanation
Incident response often forces a trade-off between speed and insight, and reviewers want a documented process for choosing strategies that balance rapid recovery against investigation needs. For example, immediately shutting down compromised systems may stop an attack but destroy valuable forensic evidence, while allowing limited continued access under monitoring might reveal the attacker's methods and targets.
Evidence could include an incident response playbook that outlines decision criteria for different types of incidents, defining when to prioritize immediate containment versus extended investigation. The playbook should include decision trees or matrices that help incident responders determine the appropriate balance based on factors such as incident severity, affected systems, and business impact.
Implementation Example
Select incident response strategies for active incidents by balancing the need to quickly recover from an incident with the need to observe the attacker or conduct a more thorough investigation
ID: RS.MA-03.316
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incidents are categorized and prioritized
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?

