Establish and Maintain Security Incident Thresholds
Description
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources
Cisco (Splunk) · Ingest-based or workload-based
Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration
Microsoft · Pay-as-you-go (per GB ingested)
Security orchestration, automation, and response platform with playbook automation and case management
Palo Alto Networks · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Minor Security Event Treated as Major Incident
AvailabilityA routine security event such as a single failed login triggers a full incident response mobilization because no thresholds differentiate events from incidents, wasting resources and causing alert fatigue.
Actual Breach Treated as Routine Event
ConfidentialityA genuine data breach is classified as a routine security event and receives minimal investigation because no defined thresholds distinguish between events requiring standard handling and incidents requiring escalated response.
Inconsistent Incident Classification Across Teams
IntegrityDifferent analysts classify the same type of security occurrence differently because no standardized thresholds exist, leading to inconsistent response levels and unreliable incident metrics.
Vulnerabilities (When Safeguard Absent)
No Defined Thresholds Between Events and Incidents
Without established thresholds differentiating security events from incidents, the organization cannot consistently determine when to escalate, resulting in either over-reaction to minor events or under-reaction to actual breaches.
No Standardized Incident Classification Framework
Absence of defined thresholds for categories like abnormal activity, security vulnerability, data breach, and privacy incident means each occurrence is classified subjectively, producing inconsistent responses.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |