OM-5.5.42

Entire section

Link

Print

Location:

Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action);

(b) Describe whether the cyber incident due to a third-party service provider;

(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink);

(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media);

(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation);

(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident);

(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic);

(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state).

The cyber incident severity may be classified as:

(a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.

(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.

(c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.

Added: July 2021