SAMM Compliance and Maturity Model

SAMMY UI is optimized for resolutions with a width 1024px and higher.

Incident Detection Incident Response

Maturity Level 1

Maturity Level 2

Maturity Level 3

Create an incident response plan

Do you respond to detected incidents?

You have a defined person or role for incident handling
You document security incidents

Description

The first step is to recognize the incident response competence as such, and define a responsible owner. Provide them the time and resources they need to keep up with current state of incident handling best practices and forensic tooling.

At this level of maturity, you may not have established a dedicated incident response team, but you have defined the participants of the process (usually different roles). Assign a single point of contact for the process, known to all relevant stakeholders. Ensure that the point of contact knows how to reach each participant, and define on-call responsibilities for those who have them.

When security incidents happen, document all actions taken. Protect this information from unauthorized access.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Define and incident response process

Do you use a repeatable process for incident handling?

You have an agreed upon incident classification
The process considers Root Case Analysis for high severity incidents
Employees responsible for incident response are trained in this process
Forensic analysis tooling is available

Description

Establish and document the formal security incident response process. Ensure documentation includes information like:

most probable/common scenarios of security incidents and high-level instructions for handling them; for such scenarios, also use public knowledge about possibly relevant third-party incidents
rules for triaging each incident
rules for involvement of different stakeholders including senior management, Public Relations, Legal, privacy, Human Resources, external (law enforcement) authorities, and customers; specify mandatory timeframe to do so, if needed
the process for performing root-cause analysis and documentation of its results

Ensure a knowledgeable and properly trained incident response team is available both during and outside of business hours. Define timelines for action and a war room. Keep hardware and software tools up to date and ready for use anytime.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Establish an incident response team

Do you have a dedicated incident response team available?

The team performs Root Cause Analysis for all security incidents unless there is a specific reason not to do so
You review and update the response process at least annually

Description

Establish a dedicated incident response team, continuously available and responsible for continuous process improvement with the help of regular RCAs. For distributed organizations, define and document logistics rules for all relevant locations if sensible.

Document detailed incident response procedures and keep them up to date. Automate procedures where appropriate. Keep all resources necessary for these procedures (e.g., separate communicating infrastructure or reliable external location) ready to use. Detect and correct unavailability of these resources in a timely manner.

Carry out incident and emergency exercises are regularly. Use the results for process improvement.

Define, gather, evaluate, and act upon metrics on the incident response process, including its continuous improvement.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading, please wait.

Community guidance

This guidance is based on the approved community submissions.

Loading, please wait.

Open CRE

Loading, please wait.