Join Mike Chapple for an in-depth discussion in this video Determining incident severity, part of CySA+ Cert Prep: 3 Cyber Incident Response.
- [Narrator] Large organizations experience dozens of security incidents every month, every week, or in some cases every day. In order to triage these incidents, we must assign severity levels that indicate the degree of risk to the organization. These severity levels help us prioritize our response. Every organization will need to develop its own severity rating system based upon the unique business needs of the organization and the types of information that it handles.
Even though specific ratings may vary, all of these systems should be based upon the nature and scope of every incident's possible impact. Do you remember the CIA triad that forms the basic core of the cybersecurity profession? This triad can also be used to help assess the scope of the security impact of an incident. First, consider the potential impact of the incident from a confidentiality perspective. How likely is it that the incident will allow unauthorized individuals to access sensitive information? If they can do so, what types of information might be involved? As we assess confidentiality impact, it's important to have a data classification system in place that provides a consistent framework for evaluating the importance and the sensitivity of information.
When you're creating this system, remember that corporate policy, laws, and regulations all play a role. Some of the information categories that you should watch out for include personally identifiable information, that's PII. This is information that may compromise the privacy or identity of your employees, customers, or other individuals. You should also watch out for PHI, protected health information, that may be covered by HIPAA and other regulations.
Payment card information is regulated by the Payment Card Industry Data Security Standard and also merits special attention. Corporate confidential information should also be of concern to you. This includes intellectual property, accounting data, and information about mergers and acquisitions or any other corporate secrets. Integrity is the second leg of the CIA triad. It's also an important component of assessing the impact of a security incident. When you assess threats to data integrity, think specifically about the impact that unauthorized changes to information might have on your business.
For example, the integrity of transaction records at a bank would have much greater impact if compromised than the integrity of web server logs. Availability, the final leg of the CIA triad, can also play a role in assessing the impact of a security incident. If the incident causes or may cause system downtime, you'll need to consider the criticality of business processes supported by that system. If there is significant downtime, the lack of availability may also have an economic impact on your organization.
Also, don't forget to take into account the recovery time needed to restore operations as you perform your assessment. As you engage in incident response, be sure to apply consistent criteria for determining incident severity. These criteria will help you apply an appropriate level of resources as you respond to the incident and help you prioritize the incidents that may have the greatest impact on your organization.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Identifying and classifying security incidents
- Determining incident severity
- Building an incident response program
- Notification, mitigation, recording, and reporting
- Incident symptoms
- Conducting forensic investigations
- Password, network, software, and device forensics