📊 Incident Classification & Escalation Matrix

Матрица классификации инцидентов и процедуры эскалации

🎯 Матрица определения критичности

Impact →
Likelihood ↓
Minimal
Low
Medium
High
Critical
Very High
SEV 4
SEV 3
SEV 2
SEV 1
SEV 1
High
SEV 5
SEV 4
SEV 3
SEV 2
SEV 1
Medium
SEV 5
SEV 4
SEV 3
SEV 3
SEV 2
Low
SEV 5
SEV 5
SEV 4
SEV 3
SEV 3
Very Low
SEV 5
SEV 5
SEV 4
SEV 4
SEV 3
1

Critical

Response: 15 min | Resolution: 4 hours
Definition: Критическое влияние на бизнес
Examples: Ransomware, полный отказ сервиса
Escalation: CEO, CISO, Crisis Team
2

High

Response: 30 min | Resolution: 8 hours
Definition: Значительное влияние на операции
Examples: Data breach, критичный сервер down
Escalation: IT Director, Security Manager
3

Medium

Response: 2 hours | Resolution: 24 hours
Definition: Умеренное влияние на подразделение
Examples: Malware на рабочей станции
Escalation: Team Lead, Duty Manager
4

Low

Response: 4 hours | Resolution: 48 hours
Definition: Минимальное влияние
Examples: Phishing попытка, failed login
Escalation: SOC Lead
5

Informational

Response: 8 hours | Resolution: 5 days
Definition: Информационное событие
Examples: Policy violation, low risk alert
Escalation: Not required

📞 Escalation Chain

👤
L1 SOC Analyst
Initial triage
SEV 4-5
👥
L2 SOC Analyst
Investigation
SEV 3-4
💼
SOC Manager
Coordination
SEV 2-3
🎯
CISO/CTO
Strategic decisions
SEV 1-2

📋 Примеры инцидентов по категориям

🦠 Ransomware Attack SEV 1
Multiple servers encrypted, business operations stopped
  • Activate Crisis Management Team
  • Isolate all affected systems
  • Notify executive leadership
  • Engage external IR team
  • Prepare public communications
💳 PCI Data Breach SEV 1
Confirmed exfiltration of credit card data
  • Notify legal and compliance
  • Contact payment card brands
  • Preserve all evidence
  • Begin forensic investigation
  • Prepare breach notifications
🔐 Domain Admin Compromise SEV 2
Unauthorized access to privileged account detected
  • Disable compromised account
  • Reset all admin passwords
  • Review all recent admin activities
  • Check for persistence mechanisms
🌐 DDoS Attack SEV 2
Public-facing services experiencing significant degradation
  • Enable DDoS mitigation
  • Contact ISP/CDN provider
  • Scale infrastructure if possible
  • Monitor attack patterns
🖥️ Endpoint Malware SEV 3
Single workstation infected with known malware
  • Isolate infected endpoint
  • Run full AV scan
  • Check for lateral movement
  • Reimage if necessary
🎣 Successful Phishing SEV 3
User clicked link and entered credentials
  • Reset user password
  • Check for account compromise
  • Block phishing URL
  • Search for other victims
🔑 Failed Login Attempts SEV 4
Multiple failed authentication attempts detected
  • Verify source IP reputation
  • Check if password spray attack
  • Monitor targeted accounts
📋 Policy Violation SEV 5
User installed unauthorized software
  • Document violation
  • Notify user's manager
  • Schedule security awareness training

📢 Communication Matrix

Severity Internal Stakeholders External Stakeholders Update Frequency
SEV 1 CEO CISO Legal PR Customers Regulators Law Enforcement Every 30 minutes
SEV 2 IT Director Security Manager Affected BU Key Partners MSP/Vendors Every hour
SEV 3 SOC Manager IT Teams As needed Every 4 hours
SEV 4 SOC Team Affected Users None Daily
SEV 5 SOC Team None Weekly report