What are your best practices for outage notifications? How do you keep the IT leadership team aware in real time? How does your support desk / organization get involved and when?
Sort By:
Oldest
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech2 months ago
One of the best resources that explains how companies should handle outages and define responsibilities is the "Incident Response Handbook" by the Incident Response Consortium. This handbook provides comprehensive guidelines and best practices for handling incidents, including how to assign roles and responsibilities during an outage, how to communicate internally and externally, and how to coordinate the resolution process effectively. It's widely regarded as a valuable resource for organizations looking to improve their incident response capabilities. Here is the resource link https://www.incidentresponse.org/resources/useful-links/
- For critical incidents (notified to the board) a bridge is kept open all the time, and anyone can dial-in to get an update. However, there are usually timed updates on the hour or every 2hours, where all key people join to provide progress to key stakeholders. A gold and/or platinum call will have been set up where business heads join to provide business, client, regulatory and financial impacts and technology join with remediation updates. The relevant board member attends to get updates. Email communication will go out hourly or every 2-hrs.
- For P1, Tech people can see updates by looking at service now commentary or join the incident bridge. Business Heads can wait for email communication (every 2hrs) and or attend bronze/silver calls depending upon client, regulatory and financial impacts.
- An organisation needs an agreed incident classification, definition of platinum, gold, silver and bronze calls, frequency of emails. The policy should also include who writes the emails, in what format etc.
- ITIL is a good framework to follow and adapt to your organisation.
- Live updates (based on experience) are never really live unless you are on the incident bridge call and seeing it unfold in real-time. When people say they want real-time updates, they just want the last meaningful update which they can get from an email or join the bridge call.