Skip to main content

Escalation and Notification

Updated Jan 30, 2024 ·

First Responder Mode

When a potential incident is detected, security professionals must act immediately to contain the situation.

  • Isolate affected systems to prevent further damage.
  • Contain the damage caused by the incident.
  • Move into the escalation and notification process after immediate actions are taken.

Incident Reporting

Key Components of Incident Reporting:

  • Notifications inform relevant parties about the incident response.
  • Real-time Updates keep stakeholders informed about the progress.
  • Maintain a detailed record of the incident and response.

Escalation Process

This process ensures incidents are properly evaluated, escalated, and reported to stakeholders.

  • Evaluate the severity of the incident based on potential impact on security.
  • Escalate the incident to the appropriate level of response.
  • Notify management and stakeholders about the incident and planned resolutions.

Notification Process

Incident responders must notify key personnel promptly.

  • Internal Notifications

    • Contact senior IT officials and information security teams.
    • May also include system owners, public relations staff, and legal teams.

  • Automated Notifications

    • Many organizations use automated systems to send alerts and track responses
    • This ensures all key personnel are reached.

  • External Notifications

    • External parties to be notified depends on the incident.
    • Law enforcement, regulators, or industry bodies may need to be informed.

Incident Notification Checklist

Below are example roles in an incident notification checklist:

  • Chief Information Officer (CIO) or senior IT official
  • Director of Information Security
  • Incident response teams
  • System and business process owners
  • Public relations staff and attorneys

Incident Severity Ratings

Organizations typically classify incidents based on their potential impact.

  • Low-Impact Incidents

    • Have minimal effect on confidentiality, integrity, or availability.
    • First responders usually handle the issue themselves.
    • No immediate need for escalation or notification unless it worsens.
    • Typically no after-hours response required.

  • Moderate-Impact Incidents

    • May significantly affect security.
    • Usually triggers activation of the incident response team.
    • Management is notified.

  • High-Impact Incidents

    • Cause critical damage and require an immediate full response.
    • Senior executives are notified immediately.
    • Full incident response team is mobilized.
    • Other team members are placed on standby.

Incident Escalation

The process of notifying and escalating incidents should be well thought out and supported by tools.

  • Clear procedures must be in place for first responders to follow.
  • Mobile contact lists for key personnel should be available.

Incident Status Updates

Incident response teams must provide regular updates on the progress.

  • Use automated notifications, meetings, or teleconferences.
  • Share key information on containment, eradication, and recovery efforts.

Final Report and Documentation

At the conclusion of an incident response, a formal report is created.

  • Nature of the incident
  • Timeline of response
  • Containment and recovery actions
  • Lessons learned and recommendations for improvement