Work a Security Incident

Work a Security Incident to determine the cause of the violation and resolve it.

To work a Security Incident (one that is already in the In Progress phase):

  1. Open the Security Incident.
  2. Complete the Incident Containment field and select a reviewer.
  3. Use the form arrangement tabs to view information associated with the Security Incident or to add Tasks for addressing the Incident.
    • Overview
    • Journals
    • Runbook
    • Security Events
    • Granted Access
    • Tasks
    • Security Incident Timeline
  4. (Optional) Create supporting tickets from the Actions list or initiate supporting actions. These can be initiated at any stage prior to Resolved. A few are highlighted below.
    1. Security Incident Notification: Provides an email template that can be modified to send out notifications to interested parties, such as Legal or HR.
    2. Grant Access to Users: Allows you to add users that will now have rights to view and edit this Security Incident.
    3. Create a Preventative Action and Create Corrective Action: Opens a Preventative or Correction Action form.
    4. Create an IT Incident and Create Change Request: Opens an Incident or Change form.
  5. Complete the Eradication and Recovery Actions fields.
  6. Select an Incident resolution code.
  7. When appropriate, a Post Review can be completed on the Security Incident. Select the Post Review link (under Stage) and complete the fields on the Post Review form. You can go back to the other information by selecting the Stage: Eradication and Recovery link. Select the Stage: Post Review link to move to the Post Review stage and complete the relevant Post Review fields.
    The Security Incident can be resolved prior to Post Review being completed.
  8. Select the Next: Resolved link to change the status to Resolved. There is no Closed status.
    Security Incident tickets can be resolved if there are open Compliance Records. This can be modified by the customer based on business requirements.