beginner

Incident Classification Matrix

Framework for classifying security incidents by type and severity to guide response priorities.

10-15 min4 steps6 checklist items

Summary

Decision tree and matrix to help responders classify incidents and determine appropriate escalation paths.

Step-by-Step Procedure

Determine Incident Category

Classify the type of security incident.

Actions

Malware: Virus, ransomware, trojan, worm detected

Phishing: Fraudulent email attempting credential theft or malware delivery

Account Compromise: Unauthorized access to user or service account

Data Breach: Confirmed or suspected unauthorized data access

Denial of Service: Service availability impacted by attack

Insider Threat: Malicious or negligent insider activity

Vulnerability Exploitation: Active exploitation of system vulnerability

Assess Severity Level

Determine the severity based on impact and scope.

Actions

Critical (P1): Active data breach, ransomware, executive compromise

High (P2): Contained malware, single account compromise, active attack

Medium (P3): Blocked phishing, policy violation, suspicious activity

Low (P4): Security alerts requiring investigation, failed attacks

Identify Data Sensitivity

Consider the sensitivity of potentially affected data.

Actions

Regulated Data: PII, PHI, PCI, GDPR-covered data

Confidential: Trade secrets, financial data, strategic plans

Internal: Business operations data, employee information

Public: Already publicly available information

Determine Escalation Path

Based on classification, determine who to involve.

Actions

P1: CISO, Legal, Executive team, potential law enforcement

P2: Security team lead, IT management, affected department heads

P3: Security analyst, IT operations, affected system owner

P4: Security team member for investigation

Completion Checklist

Incident category identified

Severity level assigned

Data sensitivity assessed

Escalation path determined

Initial responders assigned

Communication channels established

Evidence to Collect

Classification documentation
Escalation notification records
Initial incident details

Related Playbooks

First Responder ChecklistEscalation Matrix

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Determine Incident Category

Classify the type of security incident.

Actions

Malware: Virus, ransomware, trojan, worm detected

Phishing: Fraudulent email attempting credential theft or malware delivery

Account Compromise: Unauthorized access to user or service account

Data Breach: Confirmed or suspected unauthorized data access

Denial of Service: Service availability impacted by attack

Insider Threat: Malicious or negligent insider activity

Vulnerability Exploitation: Active exploitation of system vulnerability

Assess Severity Level

Determine the severity based on impact and scope.

Actions

Critical (P1): Active data breach, ransomware, executive compromise

High (P2): Contained malware, single account compromise, active attack

Medium (P3): Blocked phishing, policy violation, suspicious activity

Low (P4): Security alerts requiring investigation, failed attacks

Identify Data Sensitivity

Consider the sensitivity of potentially affected data.

Actions

Regulated Data: PII, PHI, PCI, GDPR-covered data

Confidential: Trade secrets, financial data, strategic plans

Internal: Business operations data, employee information

Public: Already publicly available information

Determine Escalation Path

Based on classification, determine who to involve.

Actions

P1: CISO, Legal, Executive team, potential law enforcement

P2: Security team lead, IT management, affected department heads

P3: Security analyst, IT operations, affected system owner

P4: Security team member for investigation