- ID:
This column contains the ID of the category being described and its connection with that particular function. e.g. Function: 'RS' points to the category "MA (Incident Management)", leading to the ID of that category being "RS.MA".
- CATEGORY:
This column describes the key focus of the organization in that particular category. e.g. For the category 'RS.MA', "Incident Management" is the key area of focus.
- METHODOLOGY:
Describes the methods and considerations the organization should carry out its risk assessment pertinet to the category being considered. e.g RS.MA describes the execution of the response plan.
- SUB CATEGORY ID:
List the various sub-categories related to that specific category. e.g RS.MA (category) --> RS.MA-1, RS.MA-2, RS.MA-3, RS.MA-4, RS.MA-5.(Sub-Category).
- SUB CATEGORY DESCRIPTION:
This column describes each sub-category 'ID' e.g. RS.MA-1 has its own description, which is different from RS.MA-2.
- SUB CATEGORY MODIFICATIONS:
This column, contains the sub-category that "WITHDRAWN", The sub category, that was "NEWLY ADDED OR INTRODUCED" and where the withdrawn category was "MOVED TO".
The Respond function focuses guides the active steps needed to be taken when a cybersecurity incident is detected.
Below is listed the various Sub-categories of the "Respond Function" in planning your organization's risk assessment for its critical infrastructures.
RS.RP-->RS.MA, RS.IM-->ID.IM.
RS.RP: RS.RP-1.
RS.IM: RS.IM-1,RS.IM-2.
RS.RP:
(RS.RP-1)-->(RS.MA-1).
RS.IM:
(RS.IM-1)-->(ID.IM-3 & ID.IM-4),(RS.IM-2)-->(ID.IM-3).
RS.AN:
(RS.AN-1)-->(RS.MA-2),(RS.AN-2)-->(RS.MA-2,RS.MA-3,RS.MA-4), (RS.AN-4)-->(RS.MA-3), (RS.AN-5)-->(ID.RA-8).
RS.CO:
(RS.CO-1)-->(PR.AT-1), (RS.CO-4)-->(RS.MA-1 & RS-MA-4), (RS.CO-5)-->(RS.CO-3).
RS.MI:
(RS.MI-3)-->(ID.RA-6).
| ID | CATEGORY | METHODOLOGY | SUB CATEGORY ID | SUB CATEGORY DESCRIPTION | SUB CATEGORY MODIFICATIONS |
| RS.MA | Incident Management. | Managing Detected Anomalies:
The responses to detected cybersecurity incidents are managed. |
RS.MA-1, RS.MA-2, RS.MA-3, RS.MA-4, RS.MA-5. |
RS.MA-1: The incident response plan are executed, and also coordinated with relevant third parties once an incident is declared. RS.MA-2: All reports pertaining the incidence are triaged and validated. RS.MA-3: Categorising and prioritising all incidents. RS.MA-4: All incidents are escalated or elevated as necessary. RS.MA-5: The criteria for initiating incident recovery are applied. |
WITHDRAWN (N/A). NEWLY ADDED (N/A). MOVED TO (N/A). |
| RS.AN | Incident Analysis. | Investigations Are Conducted:
Investigations are to be carried out, to ensure effective response and also supports forensics and recovery activities. |
RS.AN-3, RS.AN-6, RS.AN-7, RS.AN-8. |
RS.AN-3: Analysis are carried out, to establish what has taken place during an incident and the root cause of the incident. RS.AN-6: Actions performed during the investigation are to be recorded, the integrity of the record and every proven facts are to be preserved. RS.AN-7: Incident data and metadata are to be collected, and their integrity and every proven facts are to be preserved. RS.AN-8: The magnitude of an incident that has occured are to be estimated and validated. |
WITHDRAWN RS.AN-1, RS.AN-2, RS.AN-4. NEWLY ADDED RS.AN-6, RS.AN-7, RS.AN-8. MOVED TO Read Top of Page SUBCATEGORIES NOW INCORPORATED INTO. |
| RC.CO | Incident Response Reporting And Communications | Coordinating Response Activity:
All response activities are coordinated, with both internal and external stakeholders, as mandated by laws, regulations, or policies. |
RS.CO-2, RS.CO-3. |
RS.CO-2: Internal and External stakeholders are to be informed of incidents. RS.CO-3: Informations are to be shared with the appropriate internal and external stakeholders. |
WITHDRAWN RS.CO-1,RS.CO-4, RS.CO-5 NEWLY ADDED (N/A) MOVED TO Read Top of Page SUBCATEGORIES NOW INCORPORATED INTO. |
| RS.MI | Incident Mitigation. | Steps Taken To Remediate and Eradicate:
Response activities are carried out to curb the expansion of an incident attack, and mitigate its effects. |
RS.MI-1, RS.MI-2. |
RS.MI-1: Incident are contained in a properly manner. RS.MI-2: Incidents are mitigated (eradicated). |
WITHDRAWN RS.MI-3 NEWLY ADDED (N/A) MOVED TO ID.RA-6 |