An incident is security relevant if one or more questions are answered positively:
- Is personal data / employee data affected by the incident?
- Is there theft or loss of information or technology (includes portable and stationary media)?
- Is there an unauthorized disclosure of information?
- Was there unauthorized access to information from internal and external sources?
- Is a facility infected with malicious software that triggers unintended actions?
- Can an intrusion specifically affecting internal infrastructure occur?
- Is there unknown activity causing network performance to respond with increased network bandwidth and reduced response time?
- Has an employee abused their access privileges to gain access to a restricted area?
- Have there been unauthorized changes to the organization’s file system, including media, through insertion, modification, or deletion?
- Is there damage or destruction to hardware, equipment, or infrastructure that is intentional?
- Does a system exhibit suspicious behavior or a defect?
- Are there potentially dangerous activities or conditions that could lead to a security incident?