search menu icon-carat-right cmu-wordmark

Incident Management Capability Assessment

December 2018 Technical Report
Audrey J. Dorofee, Robin Ruefle, Mark Zajicek, David McIntire, Samuel J. Perl, Christopher J. Alberts, Carly L. Huth, Pennie Walters

The capabilities presented in this report provide a benchmark of incident management practices.


Software Engineering Institute

CMU/SEI Report Number



Successful management of incidents that threaten an organization's computer security is a complex endeavor. Frequently an organization's primary focus is on the response aspects of security incidents, which results in its failure to manage incidents beyond simply reacting to threatening events.

The capabilities presented in this document are intended to provide a baseline or benchmark of incident management practices for an organization. The incident management capabilities—provided in a series of statements and indicators—define the actual benchmark. The capabilities explore different aspects of incident management activities for preparing or establishing an incident management function; protecting, detecting, and responding to unauthorized activity in an organization's information systems and computer networks; and sustaining the ability to provide those services. This benchmark can be used by an organization to assess its current incident management function for the purpose of process improvement. This assessment will also help assure system owners, data owners, and operators that their incident management services are being delivered with a high standard of quality and success within acceptable levels of risk.