Does your organization have a formal process to track and validate the status of all cybersecurity incidents from identification through resolution?
Explanation
Tracking incidents to closure is the concern, namely whether you have a formal process to follow and validate the status of every cybersecurity incident from identification through resolution. Effective incident tracking ensures that security events don't fall through the cracks, appropriate resources are allocated, and management has visibility into ongoing security issues.
As evidence, you could provide a screenshot or export from your incident management system showing active incidents with their current statuses, assigned owners, and validation checkpoints. Alternatively, you could share your incident response procedure document that outlines how incidents are tracked and validated at each stage of remediation.
Implementation Example
Track and validate the status of all ongoing incidents
ID: RS.MA-04.317
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incidents are escalated or elevated as needed
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?

