- You have a defined person or role for incident handling
- You document security incidents
Description
The first step is to recognize the incident response competence as such, and define a responsible owner. Provide them the time and resources they need to keep up with current state of incident handling best practices and forensic tooling.
At this level of maturity, you may not have established a dedicated incident response team, but you have defined the participants of the process (usually different roles). Assign a single point of contact for the process, known to all relevant stakeholders. Ensure that the point of contact knows how to reach each participant, and define on-call responsibilities for those who have them.
When security incidents happen, document all actions taken. Protect this information from unauthorized access.
Endorsed Solutions for Mastering Incident Response
Become a Recommended Vendor for Incident Response! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Incident Response? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You have an agreed upon incident classification
- The process considers Root Case Analysis for high severity incidents
- Employees responsible for incident response are trained in this process
- Forensic analysis tooling is available
Description
Establish and document the formal security incident response process. Ensure documentation includes information like:
- most probable/common scenarios of security incidents and high-level instructions for handling them; for such scenarios, also use public knowledge about possibly relevant third-party incidents
- rules for triaging each incident
- rules for involvement of different stakeholders including senior management, Public Relations, Legal, privacy, Human Resources, external (law enforcement) authorities, and customers; specify mandatory timeframe to do so, if needed
- the process for performing root-cause analysis and documentation of its results
Ensure a knowledgeable and properly trained incident response team is available both during and outside of business hours. Define timelines for action and a war room. Keep hardware and software tools up to date and ready for use anytime.
Endorsed Solutions for Mastering Incident Response
Become a Recommended Vendor for Incident Response! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Incident Response? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- The team performs Root Cause Analysis for all security incidents unless there is a specific reason not to do so
- You review and update the response process at least annually
Description
Establish a dedicated incident response team, continuously available and responsible for continuous process improvement with the help of regular RCAs. For distributed organizations, define and document logistics rules for all relevant locations if sensible.
Document detailed incident response procedures and keep them up to date. Automate procedures where appropriate. Keep all resources necessary for these procedures (e.g., separate communicating infrastructure or reliable external location) ready to use. Detect and correct unavailability of these resources in a timely manner.
Carry out incident and emergency exercises are regularly. Use the results for process improvement.
Define, gather, evaluate, and act upon metrics on the incident response process, including its continuous improvement.
Endorsed Solutions for Mastering Incident Response
Become a Recommended Vendor for Incident Response! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Incident Response? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.