Incident Escalation and Notification – CompTIA Security+ SY0-401: 2.5

When you’re involved with an incident, communication is key. In this video, you’ll learn about escalation procedures and strategies for security notifications.

<< Previous Video: Incident IdentificationNext: Incident Mitigation and Isolation >>


When an incident is occurring there are a number of people that will need to be kept in the loop and notified as to what’s happening with the progress. Whenever we look at internally in an organization it’s very common to notify people like the CIO or the Head of Information Security, and certainly the teams that are responsible for responding to these kinds of incidents. We may also need to go outside of the information technology group to inform people like human resources or our public affairs group, and certainly are legal department may need to be notified as to what’s occurring. You may need even go outside the organization. In some cases, this may be a criminal act and you may need to contact your local law enforcement. And for government agencies there may be requirement to contact the US cert organization.

During a security incident the ability to communicate with others is incredibly important. Everyone needs to be up to date and informed of exactly what’s going on, especially if multiple people are working on different aspects of the security incident. So there’s different ways we should consider communicating, whenever one of these things occurs.

We can of course communicate via email, if your email is working properly. In fact, you may want to have a secondary email systems in place in case your internal email system is part of the security incident. You may also want to go to the web and poster information on a public or a private internal web page that way people can get updated immediately on what the latest status might be. Of course, communicating by voice is a great way to do this. So you’ll need to have your contact list and understand exactly who you should be communicating with over the phone. If you have the ability for everybody to get into a room you may want to have in person updates, or have periodic meetings where everybody can sit in a room for 15 or 30 minutes and discuss where they are with resolving this particular security incident. Sometimes you may want to have this set up on an automated voicemail system so that people can call a centralized phone number and get a status of where things are with the security incident. And you may get rid of technology completely and do everything by paper, have a centralized board and you compose notices, and leave messages on that centralized board, and avoid any type of technology, whatsoever. Information Exchange is an incredibly important part of an incident response. So you want to be sure that you have all of these methods in place if you ever have to respond to some type of security incident.