3. Analysis
Organisations conduct analysis, including forensic analysis, and determine the severity, impact and root cause of cyber incidents to drive appropriate and effective CIRR activities.
21. Cyber incident taxonomy. Organisations use (i) a pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and (ii) a pre-established severity assessment framework that takes into consideration criticality of systems or services to help gauge the severity of the cyber incident. For example, an organisation may rely on indicators such as volume and types of network traffic to identify a DDoS attack. In addition to any applicable statutory or regulatory classifications, these taxonomies help organisations to prioritise and direct attention and resources to more timely and effective mitigation, restoration and recovery activities. Using a taxonomy will help establish consistency in the understanding of incidents across various parties, as information is communicated with a common language. Severity levels are established to allow for immediate response to a cyber incident as the first hours and few days following an incident are the most critical. This approach allows the execution of CIRR activities even in the absence of complete understanding of the incident.
Box 3: Examples of CIRR taxonomies - Information used when describing cyber incidents • Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action) |