Incident Management Capability Metrics Version 0.1

Successful management of incidents that threaten an organizations computer security is a complex endeavor. Frequently an organizations primary focus on the response aspects of security incidents results in its failure to manage incidents beyond simply reacting to threatening events. The metrics presented in this document are intended to provide a baseline or benchmark of incident management practices. The incident management functions—provided in a series of questions and indicators—define the actual benchmark. The questions explore different aspects of incident management activities for protecting, defending, and sustaining an organizations computing environment in addition to conducting appropriate response actions. This benchmark can be used by an organization to assess how its current incident management capability is defined, managed, measured, and improved. This will help assure the system owners, data owners, and operators that their incident management services are being delivered with a high standard of quality and success, and within acceptable levels of risk.