Model | Operations | Incident Management | Incident Response
Benefit
Ability to efficiently solve most common security incidents
Activity
The first step is to recognize the incident response competence as such, and define a responsible owner. Provide them the time and resources they need to keep up with current state of incident handling best practices and forensic tooling.
At this level of maturity, you may not have established a dedicated incident response team, but you have defined the participants of the process (usually different roles). Assign a single point of contact for the process, known to all relevant stakeholders. Ensure that the point of contact knows how to reach each participant, and define on-call responsibilities for those who have them.
When security incidents happen, document all actions taken. Protect this information from unauthorized access.
Question
Do you respond to detected incidents?
Quality criteria
You have a defined person or role for incident handling |
You document security incidents |
Answers
No |
Yes, for some incidents |
Yes, for at least half of the incidents |
Yes, for most or all of the incidents |
Benefit
Understanding and efficient handling of most security incidents
Activity
Establish and document the formal security incident response process. Ensure documentation includes information like:
- most probable/common scenarios of security incidents and high-level instructions for handling them; for such scenarios, also use public knowledge about possibly relevant third-party incidents
- rules for triaging each incident
- rules for involvement of different stakeholders including senior management, Public Relations, Legal, privacy, Human Resources, external (law enforcement) authorities, and customers; specify mandatory timeframe to do so, if needed
- the process for performing root-cause analysis and documentation of its results
Ensure a knowledgeable and properly trained incident response team is available both during and outside of business hours. Define timelines for action and a war room. Keep hardware and software tools up to date and ready for use anytime.
Question
Do you use a repeatable process for incident handling?
Quality criteria
You have an agreed upon incident classification |
The process considers Root Cause Analysis for high severity incidents |
Employees responsible for incident response are trained in this process |
Forensic analysis tooling is available |
Answers
No |
Yes, for some incident types |
Yes, for at least half of the incident types |
Yes, for most or all of the incident types |
Benefit
Efficient incident response independent of time, location, or type of incident
Activity
Establish a dedicated incident response team, continuously available and responsible for continuous process improvement with the help of regular RCAs. For distributed organizations, define and document logistics rules for all relevant locations if sensible.
Document detailed incident response procedures and keep them up to date. Automate procedures where appropriate. Keep all resources necessary for these procedures (e.g., separate communicating infrastructure or reliable external location) ready to use. Detect and correct unavailability of these resources in a timely manner.
Carry out incident and emergency exercises are regularly. Use the results for process improvement.
Define, gather, evaluate, and act upon metrics on the incident response process, including its continuous improvement.
Question
Do you have a dedicated incident response team available?
Quality criteria
The team performs Root Cause Analysis for all security incidents unless there is a specific reason not to do so |
You review and update the response process at least annually |
Answers
No |
Yes, some of the time |
Yes, at least half of the time |
Yes, most or all of the time |
Stream Guidance
- SAMM team guidance Google Doc
- Be the first to add to the Community guidance for this Stream!
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.