Coordinated Response
Services and tools for incident response management

Categorizing incidents helps define and describe the assigned mission for the incident response team and the scope of the response plan.

The table below depicts two dimensions of the response team’s scope of responsibility: incident categories represent the breadth of responsibility and incident types represent the granularity or depth of responsibility.

Incident Categories Incident Types
Compromised Asset
  • Data breach or other data compromise
  • Fraud
  • Compromised system
External Internet
  • Denial of Service (DoS) or Distributed DoS (DDoS)
  • Network probing / logical attack
  • E-mail spamming / phishing / social engineering
  • Threat intelligence
Malware
  • Malware including Trojans, worms, viruses, et al.
Equipment Loss
  • Loss of equipment or phone
  • Loss of credential
Internal / Personnel
  • Improper e-mail usage
  • Improper internet usage
  • System or network misuse
Information Security Services
  • Other incidents not categorized above
  • HR support for HR related issues
  • Other services as required

In addition to describing the response plan’s scope, categories recognize incidents with common characteristics and possibly shared actions. Employee incidents often require action from human resources. External incidents may require support from the Internet Service Provider (ISP) or a Managed Security Service Provider (MSSP).

The incident response plan may complement or extend an organization’s business continuity/disaster recovery plan – some incidents threaten business continuity. It must be determined how this fits in the scope of the response plan.

Defining the response plan scope in terms of incident categories and types helps identify holes in the plan, omitted incidents.