Incident Analysis (RS.AN)

Investigations are conducted to ensure effective response and support forensics and recovery activities

Subcategories

RS.AN-01

Notifications from detection systems are investigated

[Withdrawn: Incorporated into RS.MA-02]

RS.AN-02

The impact of the incident is understood

[Withdrawn: Incorporated into RS.MA-02, RS.MA-03, RS.MA-04]

RS.AN-03

Analysis is performed to establish what has taken place during an incident and the root cause of the incident

RS.AN-04

Incidents are categorized consistent with response plans

[Withdrawn: Moved to RS.MA-03]

RS.AN-05

Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

[Withdrawn: Moved to ID.RA-08]

RS.AN-06

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

RS.AN-07

Incident data and metadata are collected, and their integrity and provenance are preserved

RS.AN-08

An incident's magnitude is estimated and validated

Frameworks and Controls

NIST Cybersecurity Framework V2.0

CMMC Level 1