The estimated impact and scope of adverse events are understood
When an adverse event is confirmed, the first analytical question is not 'how did this happen' but 'how bad is this?' Understanding scope and impact informs every subsequent decision: whether to escalate, whether to invoke the incident response plan, whether to notify customers or regulators, and which response actions to prioritize. Organizations that skip this assessment either under-respond to serious incidents or over-respond to minor ones.
Implementation steps
- 1
Define an impact classification framework for security events
Create a classification system that maps security event characteristics to impact levels: what data was potentially exposed (public vs. confidential vs. regulated), how many users or systems are affected, whether the event affects revenue-generating services, and whether it has compliance implications. Define at least three severity tiers (low, medium, high/critical) with clear criteria for each. This framework lets responders make consistent impact assessments under pressure.
confluencenotion - 2
Include scope assessment as a required step in incident response
Add scope determination as an explicit step in your incident response playbooks: before moving to containment, responders must document which systems are affected, which data was potentially accessed or exfiltrated, the time window of the event, and what the attacker's potential level of access was. This documentation prevents scope creep later and ensures that response actions address the full extent of the compromise.
jirapagerdutypalo-alto-cortex-xsoar - 3
Build tooling to accelerate scope determination
When a system is identified as compromised, analysts need to quickly determine what else may be affected. Use your SIEM to search for lateral movement indicators from the compromised host, review authentication logs for credential reuse, and check network flow data for unusual communications. Automate the initial scope query so that the first 15 minutes of an investigation surfaces the most likely blast radius automatically.
splunkmicrosoft-sentinelcrowdstrikeelastic
Evidence required
Impact classification framework
A documented framework for assessing the impact and scope of security events.
- · Incident severity classification matrix with defined criteria per tier
- · Incident response policy section defining impact assessment requirements
- · Data classification policy that maps data types to breach impact levels
Scope assessment records from past incidents
Evidence that scope and impact assessment is performed during incident response.
- · Sample incident tickets showing scope assessment documentation
- · Post-incident review noting the scope determination process used
- · SOAR playbook configuration showing scope assessment steps
Related controls
Potentially adverse events are analyzed to better understand associated activities
Adverse Event Analysis
Information on adverse events is provided to authorized staff and tools
Adverse Event Analysis
Incidents are declared when adverse events meet the defined criteria
Adverse Event Analysis
The impact of the incident is understood
Incident Analysis