Security incident categories

["Jim A. Bole" <jbole () STEVENSON EDU>]

ISO good list of security incident categories. I am looking for something that works for formal IR Plans and can 
establish helpful metrics, especially for leadership outside of infosec/IT.

I like the federal guidelines (https://www.us-cert.gov/government-users/reporting-requirements) but I don't think they 
cover some categories I think are important:

-          Phishing attacks, especially BEC incidents with no technology compromise, just social engineering. Think 
gift card scams.

-          Data breaches, especially those requiring formal notification (HIPAA, PCI, etc.). I think those types of 
incidents require their own category for tracking.

-          Loss/theft of equipment. I've typically had to track these, especially when internal drives weren't 
encrypted. Not sure if this one is still relevant.

I'd be interested if anyone has anything better. I modified the fed categories a bit and came up with:


Category 0 - Test/Exercise

Used for any approved test or exercise, such as internal or external network penetration tests.



Category 1 - Data Theft

Any attempted or successful destruction, manipulation, or disclosure of sensitive, confidential or proprietary 
information. Includes any incident requiring breach notification or resulting in financial loss (Business Email 
Compromise - BEC). Does not include most typical phishing attacks/attempts (Category 5).



Category 2 - Denial of Service

An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or 
applications by exhausting resources. This activity includes being the victim or participating in the DoS.



Category 3 - Compromised technology asset

Any incident the results in the compromise of a technology asset: host, network device, account, service etc. Includes  
malware-infected hosts and account compromise due to successfully credential harvesting phishing attack.



Category 4 - Improper Usage

Any violation of acceptable computing use policies.



Category 5 - Phishing

An attempt to collect sensitive information via electronic communication, including email, social media accounts, 
SMS/text, phone call, etc. Does not include account takeovers after successful credential harvesting (Category 3) or



Category 6 - Investigation

Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant 
further review. This also includes any activities that do not have measureable impact - scans, probes or unsuccessful 
attempts at access.



Category 7 - Loss or Theft of Equipment

The loss or theft of a computing device or media storing sensitive information.


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

<<attachment: winmail.dat>>