Please add these key fields to Security Incidents. As it currently stands the IR tracker is insufficient to capture the level of detail required to properly track incidents and report metrics.
Date Incident Occurred (Optional) - This isn’t usually known right away but it important to know the start date of an incident for things like credit card transaction to know how many transactions were affected.
Date Incident Discovered (Optional) - This help determine the lag time between when an incident occurred and when it was discovered.
Date Incident Reported (Required) - This is different from “Date Incident Reported” as incidents are often reported to the InfoSec team hours to days after it was discovered due to confusion, uncertainty, or misinformation. Currently called “Open Date” but that is not a good term.
Employee POC Name (Required) - Pull from LDAP? This info is important to know who on the company side should be contacted for further questions. Usually the data or process owner.
Employee POC Title (Optional)
Employee POC Phone (Optional)
Employee POC Email (Optional)
Affected Client POC Name (Optional) - This is help to know who to reach out to on the client side. Could be the person that reported the incident, B2B liaison, or their security team.
Affected Client POC Title (Optional)
Affected Client POC Phone (Optional)
Affected Client POC Email (Optional)
Initial Incident Report (Required) - The field should contain early details, initial report (eg. original email, or alert message, etc.)
Incident Summary (Optional) - This should be a cumulative, updating, summary of the incident so far. Going through comments to determine the current status of an incident is not a good nor normal practice.
Remediation/Mitigation Summary (Optional) - This is a summary of actions taken to remediate and/or mitigate the incident.
Lessons Learned (AAR) Summary (Optional) - This should be a post incident summary of what was learned from the incident and what actions were taken. Would be cool to somehow link this to projects.
Phase (Required drop-down) - Reported, Investigating, Contained, Remediating, After Action Review (AAR), Closed. These phases will help other’s reviewing the incident know where the CERT team is.
Priority (Required) - Think severity level. Perhaps this could be derived from risk or assets value?
Incident Type (Required) - Suggested types. This helps determine what set of IR procedures will be used or where used.
- Acceptable Use Policy (AUP) Violation
- Data Breach
- Denial of Service (DoS/DDoS)
- Fraud
- Lost/Stolen Device
- Malware
- Phishing
- Scans / Probes / Attempted Access
- Unauthorized Access - External
- Unauthorized Access - Internal
- Unknown
