From a question posted over at CISACA-L:
b). Secondly what constitutes a security incident. Is there a generally / generic agreed list. We all have our views on what constitutes a security incident, but i would just like to seek clarity
I offered the following definition:
Well anything that violates the security policy is a security incident. If no policy exists, you know that an incident is a security incident when you detect one.
If you find the above definition vague, or subjective please help refine it. But read “In Praise of the handshake” first. Like complete contracts, overengineered policies are inevitably imperfect. And that is why I like the informal SLA too.
I would suggest changing “anything that violates the security policy…” to “anything that violates the security policy and it is not documented and accepted by management as an exception”.