NIST SP 800-61
Handling an Incident
2.7. Incident Notification
When an incident is analyzed and prioritized, the incident response team needs to notify the appropriate
individuals so that all who need to be involved will play their roles. Incident response policies should include provisions concerning incident reporting – at a minimum, what must be reported to whom and at
what times (e.g., initial notification, regular status updates). The exact reporting requirements vary among
organizations, but parties that are typically notified include:
- CIO
- Head of information security
- Local information security officer
- Other incident response teams within the organization
- External incident response teams (if appropriate)
- System owner
- Human resources (for cases involving employees, such as harassment through email)
- Public affairs (for incidents that may generate publicity)
- Legal department (for incidents with potential legal ramifications)
- US–CERT (required for Federal agencies and systems operated on behalf of the Federal government; see Section 2.3.4.3)
- Law enforcement (if appropriate)
During incident handling, the team may need to provide status updates to certain parties, even in some
cases the entire organization. The team should plan and prepare several communication methods,
including out-of-band methods (e.g., in person, paper), and select the methods that are appropriate for a
particular incident. Possible communication methods include:
- Website (internal, external, or portal)
- Telephone calls
- In person (e.g., daily briefings)
- Voice mailbox greeting (e.g., set up a separate voice mailbox for incident updates, and update the greeting message to reflect the current incident status; use the help desk's voice mail greeting)
- Paper (e.g., post notices on bulletin boards and doors, hand out notices at all entrance points).