📖 What is Incident Identification?
Incident Identification is the initial phase of the incident response lifecycle, involving the detection and verification of potential security events. This process determines whether an event constitutes a security incident requiring further investigation and response based on established criteria and thresholds.
"A critical distinction is between an 'event' and an 'incident.' All incidents are events, but not all events are incidents. Exam questions will test your ability to apply incident criteria (e.g., impact, severity) to determine if escalation is necessary."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Incident Identification?
- ▸ Distinguishing between security events and security incidents is crucial; an incident requires a response, while an event may not.
- ▸ Incident identification relies on various sources: SIEM alerts, intrusion detection systems, log analysis, and user reports.
- ▸ Defined incident criteria (impact, severity, data sensitivity) are essential for consistent and accurate identification.
- ▸ Proper documentation of the identification process, including timestamps and initial observations, is vital for forensics and reporting.
- ▸ False positives are common; effective identification includes verification to avoid wasting resources on non-incidents.
🎯 How does Incident Identification appear on the CISM Exam?
You may be asked to analyze a series of log entries and determine which events qualify as security incidents based on pre-defined organizational policies and impact levels.
A scenario might describe a network anomaly detected by an IDS. Expect questions about the next steps to verify if this anomaly represents a genuine incident.
Expect questions about the roles and responsibilities involved in the initial incident identification phase, such as the security operations center (SOC) analyst’s duties.
❓ Frequently Asked Questions
What’s the impact of poorly defined incident criteria?
Vague criteria lead to inconsistent identification, potentially missing critical incidents or wasting time on false alarms, hindering effective response and increasing risk.
How does incident identification relate to threat intelligence?
Threat intelligence can enhance identification by providing context about known attack patterns and indicators of compromise, helping to prioritize and verify potential incidents.
What are common pitfalls in verifying an incident?
Relying solely on automated alerts without manual verification is a common mistake. Always corroborate findings with multiple sources and consider the broader context.