Some alerts necessitate immediate action, making it crucial for the SOC to establish a defined process for contacting the appropriate individuals during different incidents. Since incidents can affect various business units, the SOC should know who to contact, when, and through which communication channels.
Here’s an example of an escalation chain for incidents affecting a specific part of the organization:
Incidents should be classified based on their:
The classification of an incident and its attributes will dictate the measures the SOC takes to address the issue.
The incident category determines the appropriate response. It is essential for the SOC to understand the implications of each incident type for the organization. Examples of incidents include:
The criticality of an incident is assessed based on factors such as the number of affected systems, the potential consequences of not addressing the incident, and the specific systems involved. Accurately determining criticality is crucial for the SOC to effectively manage and close incidents, as it dictates the urgency of the response—whether the incident requires immediate action or can be deferred until later.
Sensitivity indicates who needs to be informed about the incident, with some incidents requiring a high level of discretion.