Defining threshold for cyber security breach

Critical
High
Normal
Low

The organization must define the threshold at which a security incident becomes a cyber security breach.

Connected other frameworks and requirements:
DE.AE-5: Incident alert thresholds
NIST CSF
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2

Defining cyber security metrics for cyber security breaches

Critical
High
Normal
Low

The organization has defined metrics that can be monitored and are related to cyber security incident management. At its best, good metrics help detect weaknesses in incident detection.

Possible metrics include:

  • Number of security incidents and relationship to disruptions
  • Number of disruptions by service, department, severity or type provided
  • Time required for incident identification, investigation and handling
  • Deviations from documented practices
Connected other frameworks and requirements:
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2

Ensuring sorting of cyber security events

Critical
High
Normal
Low

The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.

Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.

Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.

Connected other frameworks and requirements:
DE.AE-2: Analyze detected events
NIST CSF
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2
No items found.