T8.2.3 - INCIDENT CLASSIFICATION Implementation Guidance
The entity shall assess and classify information security incidents.
Back to T8.2.3 - P4 - INCIDENT CLASSIFICATION
Classification and prioritization of incidents can help to identify the impact and extent of an incident. A point of contact should assess the information security events using the agreed information security event and incident classification scale and decide whether the events should be classified as information security incidents.
In case where the entity has CSIRT, the assessment and decision can be forwarded to the CSIRT for confirmation or reassessment. Results of the assessment and decision should be recorded in detail for the purpose of future reference and verification.
An attack is classified as an incident if the attack is directed against information assets, has a realistic chance of success and threatens the confidentiality, integrity and availability of information resources and assets.
An indication of an incident can be one or more of the following:
- If dormant or inactive accounts started accessing system resources, querying servers, or engaged in other activities
- If modification of logs occurs and the systems administrator cannot determine explicitly the authorized individual who modified them
- Presence of hacking tools
- Notifications by partner or peer
- Notification by the attacker
