8.4.2. Incident Classification, Communication, and Escalation
💡 First Principle: Not all incidents are equal — a port scan from the internet requires a different response than a confirmed exfiltration of customer PII. Classification determines the resources deployed, the speed of response, the management level that must be notified, and the regulatory obligations triggered. Under-classifying wastes critical response time; over-classifying causes alert fatigue and resource exhaustion.
Incident severity classification:
| Level | Definition | Response | Notification |
|---|---|---|---|
| Critical (P1) | Active data breach; ransomware in progress; complete service outage; life-safety threat | All-hands IR team; executive bridge; legal engaged | CISO, CEO, legal, board (if breach); regulator per breach notification law |
| High (P2) | Confirmed compromise of sensitive system; significant malware infection; targeted attack in progress | Full IR team activation; management bridge | CISO, IT director, affected business unit |
| Medium (P3) | Isolated malware; successful phishing (no credential compromise confirmed); single system compromise | IR analyst investigation; standard response | Security manager; system owner |
| Low (P4) | Policy violation; unsuccessful attack attempt; suspicious but unconfirmed activity | Documented; investigated in normal workflow | Ticket created; no real-time escalation |
Communication during incidents:
Incident communication requires both internal and external channels, often under legal and regulatory constraints:
- Internal communication — Use out-of-band channels (not the compromised network). Assume the attacker may be monitoring email and chat. Phone calls, pre-established encrypted messaging, or dedicated IR communication platforms.
- Legal hold and privilege — Engage legal counsel early. Communications directed by and to legal counsel may be protected by attorney-client privilege. IR reports created at counsel's direction ("privileged and confidential — prepared at the direction of counsel") receive stronger legal protection.
- Regulatory notification — Breach notification laws specify timelines (GDPR: 72 hours to supervisory authority; most US state laws: 30–90 days to affected individuals). The clock typically starts when the organization has reasonable certainty that a breach occurred.
- Customer notification — Content must be accurate without revealing investigation details that could help the attacker. Legal review before all external communications.
- Law enforcement coordination — FBI, Secret Service, or local law enforcement depending on incident type. Law enforcement engagement is voluntary for most private-sector incidents but may be required for certain regulated industries. Engagement can provide threat intelligence, attribution support, and legal remediation.
Escalation procedures:
Escalation must be pre-defined — during a crisis, responders should not debate who needs to know. Escalation triggers are typically tied to classification level: P1 auto-escalates to C-suite; P2 auto-escalates to CISO; P3/P4 are managed at the security operations level.
⚠️ Exam Trap: GDPR's 72-hour breach notification requirement runs from the moment the controller becomes "aware" of the breach — not from when the investigation is complete. Organizations that wait for full forensic analysis before notifying the supervisory authority will likely miss the deadline. Initial notification can and should be made with incomplete information, with supplemental details provided as the investigation progresses.
Reflection Question: A security analyst discovers that an attacker has had access to a database containing customer names, email addresses, and hashed passwords for approximately 3 weeks. The analyst confirms the data was exfiltrated. The organization serves customers in the US (California) and EU. Walk through the notification obligations under both CCPA and GDPR, the internal escalation that should occur, and the key decisions the IR team must make in the first 24 hours after discovery.
