CMMC Practice IR.2.094
Analyze and triage events to support event resolution and incident declaration.
Bold Coast Security Guidance
Your Incident Response Team must designate an individual, or group of individuals, to triage incident reports defined in IR.2.093. Often an Incident Team Leader or incident coordinator is assigned this job.
To assist the Team Leader/Coordinator, review NIST documentation for categorizing incidents as Informational, Low, Medium, or High. A typical table includes three different variables to consider:
• Functional impact: how are services affected? Is a single user unable to work today, or are critical services offline?
• Informational impact: what kind of data is involved? Is it public data, or CUI?
• Recoverability effort: will the organization be able to respond and recover with existing resources, or is recovery simply not possible due to the data being already exfiltrated?
A high in any one of those variables would make the incident a high (they are "or" not "and" statements) resulting in predefined actions being taken, such as notifying the Incident Team, start tracking response efforts, and having the first Incident Response Team meeting, and developing an action plan.
Each level may also have a time frame attached to it for responding to the incident, such as initiating the first meeting within one hour for a high level incident, and Informational may have no response time, but simply require the incident to be logged and closed.
CERT RMM V1.2
The triage of event reports is an analysis activity that helps the organization to gather additional information for event resolution and to assist in incident declaration, handling, and response. Triage consists of categorizing, correlating, prioritizing, and analyzing events. Through triage, the organization determines the type and extent of an event (e.g., physical versus technical), whether the event correlates to other events (to determine if they are symptomatic of a larger issue, problem, or incident), and in what order events should be
addressed or assigned for incident declaration, handling, and response.Triage also helps the organization to determine if the event needs to be escalated to other organizational or external staff (outside of the incident management staff) for additional analysis and resolution.
Some events will never proceed to incident declaration; the organization determines these events to be inconsequential. For events that the organization deems as low priority or of low impact or consequence, the triage process results in closure of the event and no further actions are performed.
Events that exit the triage process warranting additional attention may be referred to additional analysis processes for resolution or declared as an incident and subsequently referred to incident response processes for resolution. These events may be declared as incidents during triage, through further event analysis, through the application of incident declaration criteria, or during the development of response strategies, depending on the organization’s incident criteria, the nature and timing of the event(s), and the consequences of the event that the organization is currently experiencing or that is imminent.