Incident Response

Model | Operations | Incident Management | Incident Response

Benefit

Ability to efficiently solve most common security incidents

Activity

The first step is to recognize the incident response competence as such, and define a responsible owner. Provide them the time and resources they need to keep up with current state of incident handling best practices and forensic tooling.

At this level of maturity, you may not have established a dedicated incident response team, but you have defined the participants of the process (usually different roles). Assign a single point of contact for the process, known to all relevant stakeholders. Ensure that the point of contact knows how to reach each participant, and define on-call responsibilities for those who have them.

When security incidents happen, document all actions taken. Protect this information from unauthorized access.

Question

Do you respond to detected incidents?

Quality criteria

You have a defined person or role for incident handling
You document security incidents

Answers

No
Yes, for some incidents
Yes, for at least half of the incidents
Yes, for most or all of the incidents

Stream Guidance

  • SAMM team guidance Google Doc

  • Be the first to add to the Community guidance for this Stream!

Want to contribute?

Complete this Google Form with guidance for this Stream.



To learn more about Stream guidance for the SAMM model, see the Stream guidance page.