SOC 2 Incident Management
Chapter 2 - Implement an Incident Response Process

Lesson 3: Tracking Incident Throughout Its Lifecycle

Complete & Continue Next Lesson Learn More

To effectively manage and resolve security incidents, organizations must establish a centralized system for tracking and monitoring incidents throughout their lifecycle. This system should provide visibility into the status and progress of each incident, facilitate collaboration among incident response team members, and generate metrics and reports to support continuous improvement efforts.

What does an incident tracking system look like?

  • Centralized repository for all incident tickets, accessible by authorized personnel.

  • Unique identifier for each incident ticket, to facilitate tracking and referencing.

  • Fields for capturing relevant incident details, such as description, date and time reported, severity, priority, and assigned personnel.

  • Workflow capabilities to support the incident response process, such as status updates, assignments, and notifications.

  • Integration with other security tools and systems, such as SIEM and EDR, to enable automated data correlation and analysis.

  • Reporting and analytics capabilities to generate metrics and insights on incident trends, response times, and performance against SLAs.

Incident Tracking Process

  • As soon as a valid security incident is identified and reported, an incident ticket is created in the centralized tracking system.

  • The incident ticket is assigned to the appropriate incident response team member or group, based on the nature and severity of the incident.

  • The assigned personnel investigate the incident, document their findings and actions in the incident ticket, and update the ticket status as the incident progresses.

  • The incident response team communicates with relevant stakeholders, such as the reporter and affected business units, throughout the incident lifecycle, and documents these communications in the incident ticket.

  • Once the incident is resolved, the incident ticket is closed and a post-incident review is conducted to identify lessons learned and opportunities for improvement.

  • The incident data is retained in the tracking system for future reference and analysis, in accordance with the organization's data retention policies and regulatory requirements.

Incident Severity Classification

In the tracking system, incidents should be classified based on their severity and potential impact to the company’s operations, reputation, or legal/regulatory standing as follows:

  • Severity 1 (Critical): Incidents that pose an immediate threat to the confidentiality, integrity, or availability of critical systems or data.

  • Severity 2 (High): Incidents that pose a significant risk to the confidentiality, integrity, or availability of sensitive systems or data.

  • Severity 3 (Medium): Incidents that pose a moderate risk to the confidentiality, integrity, or availability of internal systems or data.

  • Severity 4 (Low): Incidents that pose a low risk to the confidentiality, integrity, or availability of non-critical systems or data.