Introduction to NCISS in SIRP
The CISA National Cyber Incident Scoring System (NCISS) is a vital tool designed to assist organizations in assessing the severity and impact of cyber incidents. Developed by the Cybersecurity and Infrastructure Security Agency (CISA), this scoring system provides a standardized methodology for evaluating and scoring cyber incidents based on predefined categories and options.
By utilizing NCISS, organizations can systematically categorize incidents, assign appropriate weightings, and generate a score that reflects the overall risk and potential impact of the incident. This score aids in prioritizing responses, facilitating effective incident management, and enhancing decision-making during critical cybersecurity events.
The NCISS feature within SIRP streamlines the incident scoring process against CISA guidelines, enabling users to create, edit, and manage category options and priorities seamlessly.
Accessing NCISS
To access the CISA National Cyber Incident Scoring System (NCISS), follow these steps:
Navigate to Administration:
Log in to your SIRP account and locate the Administration section in the main menu.
Select Cases:
Click on the Cases option from the Administration navigation menu.
Open NCISS Incidents Scoring:
In the Cases section, find and select NCISS Incidents Scoring. This will direct you to the NCISS scoring admin interface.
Once you are on the NCISS Incidents Scoring screen, you will have access to the following:
Category Options Screen: This is the default view of the NCISS Scoring screen. Here, you can view, filter, create, and edit category options for scoring incidents.
NCISS Categories and Priorities: Use the respective buttons to access detailed pages for managing NCISS categories and priorities.
Make sure you have the necessary permissions to access these features, as they may be restricted based on user roles within SIRP.
Categories, Options and Priorities
Categories, Options, and Priorities form the foundation of the NCISS scoring system, enabling users to evaluate incidents systematically.
Categories: These are predefined groups that represent key aspects of a cyber incident, such as the type of threat or affected systems. Each category has a unique weight to signify its importance in the scoring process. For example, categories might include Impact, Threat Actor Sophistication, or System Vulnerability.
Options: Within each category, options represent specific conditions or attributes relevant to an incident. Options are assigned numeric values to quantify their contribution to the overall score. For instance, under the Impact category, options might include High, Medium, or Low Impact, each with a corresponding value.
Priorities: These define the urgency or severity levels associated with different score ranges. By mapping scores to priority levels, such as Critical, High, Medium, or Low, organizations can better prioritize their response efforts. Each priority is visually represented, often with distinct colors, to ensure clarity during incident management.
By combining categories, options, and priorities, NCISS provides a flexible and comprehensive framework for scoring incidents. This approach ensures that incident responses are proportional to the threat’s severity, aligning organizational efforts with the highest risks.
Navigating the NCISS Interface
The NCISS interface is designed for ease of use, allowing users to efficiently manage categories and options.
NCISS Categories Page
Access Path: Administration → Cases → NCISS Incidents Scoring → NCISS Categories
Purpose: Displays all predefined category names with details.
Features:
View Options: All predefined options (names, descriptions, weights and statuses) are displayed.
Action Column: Allows users to take action on manually created categories.
Create Category Button: Opens a modal to add new categories.
Create Category Modal
Purpose: To create new categories for scoring.
Fields:
Name: Input for the category name.
Weight: Numeric weight assigned to the category.
Description: Text field for a description of the category.
Status: Dropdown to set the category as enabled or disabled.
Once all details are filled in and user hits save, a new NCISS category is created.
NCISS Category Options Page
Access Path: Administration → Cases → NCISS Incidents Scoring
Purpose: To create, view and manage options based on specific categories.
Features:
Filter Options: Users can filter by categories to display specific options.
View Options: All predefined options (names, values, and categories) are displayed.
Create Options: Users can create new options via a modal window.
Search Functionality: A search bar is available to find specific category options quickly.
Action Column: Provides options to edit or delete user-created options.
Create Option Modal
Purpose: To add new category options.
Fields:
Name: Input for the name of the option.
Value: Numeric value associated with the option.
Category: Dropdown to select the relevant category.
Once all details are filled in and user hits save, an option for that category is created.
NCISS Priority Screen
Access Path: NCISS Priority button
Purpose: To manage NCISS priority levels and their respective settings. These priorities define the priority levels for the NCISS score.
Features:
List of Priorities: Displays priority names, levels, colors, and actions.
Create Priority Button: Opens a modal to add new priority levels.
Create Priority Modal
Purpose: To add new priorities for NCISS scoring.
Fields:
Name: Input for the priority name.
Level: Numeric level indicating when NCISS becomes that priority.
Color: Option to select a color associated with the priority.
Once all details are filled in and user hits save, a new priority level is created.
Using NCISS for Incident Management
The NCISS feature integrates seamlessly into incident management workflows, allowing users to calculate and view NCISS scores during various stages of alert and incident handling. Here’s how to effectively use the NCISS in your incident management processes:
Viewing NCISS Scores
Context: When creating, editing, or viewing alerts, investigations, incidents, and incident cases, the NCISS score option is prominently displayed.
Functionality: This visibility allows user to set parameters of the incident, which in turn calculates the NCISS score.
Usability: With context of these scores, analysts can better handle and prioritize incidents.
Calculating NCISS Scores
Trigger: When creating or editing any alert, investigation, or incident, a "Calculate Score" button appears.
Process:
Click the "Calculate Score" Button: This action opens a modal window displaying all categories available for scoring.
Select Category Options: Users can choose some or all relevant category options preset in the admin tab.
Save Selection: After selecting the desired category options, the user saves the input.
Score Calculation: The system automatically calculates the NCISS score based on the selected options and displays it.
Viewing Detailed Score Breakdown
Context: When reviewing an incident case, users can view the NCISS score alongside a detailed breakdown.
Components:
Score Display: The total NCISS score is shown prominently.
Weightage Breakdown: Users can see the weightage of each selected category option, helping them understand how the score is derived.
Conclusion
The CISA National Cyber Incident Scoring System (NCISS) is a vital tool within our application, empowering users to evaluate cyber incidents systematically and effectively. This scoring system, developed by CISA, enhances incident management by providing a structured framework for categorizing and prioritizing incidents based on their severity and potential impact.
In summary, the NCISS feature in our application not only enhances incident management but also aligns with best practices in cybersecurity, fostering a proactive approach to managing cyber incidents.