Reporting incidents from SOW and SIR Workspace in DRIR

  • Release version: Washingtondc
  • Updated January 6, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Reporting Incidents from SOW and SIR Workspace in DRIR

    This guide outlines the process for reporting major incidents generated in the Service Operations Workspace (SOW) and Security Incident Response Workspace (SIR Workspace) into the Digital Resilience Incident Reporting application. Major incidents are categorized based on their impact and urgency, facilitating a structured response and documentation workflow.

    Show full answer Show less

    Key Features

    • Incident Verification: Assess if the incident is major based on service impact, security breaches, or operational issues.
    • Incident Classification: Automatically classify incidents as major if they involve unauthorized access.
    • Incident Record Creation: Document essential details such as case number, priority, and requester.
    • Notification System: Email updates to DORA analysts regarding incident progress.
    • Reporting Timelines:
      • Initial Report: Due within 24 hours of classification.
      • Intermediate Report: Due within 72 hours if the incident persists.
      • Final Report: Due one month after the incident is classified.

    Key Outcomes

    By following this reporting workflow, ServiceNow customers can ensure timely documentation and response to major incidents, enhancing operational resilience and security management. Accurate reporting also aids in ongoing incident analysis and response effectiveness.

    When a high-impact, high-urgency incident is created or an existing incident is marked as high priority in the Service Operations Workspace (SOW) of Incident Management or Security Incident Response Workspace (SIR Workspace), it is classified as a major incident. These major incidents are then logged and reported in the Digital resilience incident reporting application.

    Incident reporting workflow

    The following example shows a sample workflow for reporting an incident in Incident Management. Incident workflow.
    1. Incident verification: Determine if the reported incident is a major ICT-related incident, a security breach, or an operational payment issue. Assess whether any critical services are impacted.
    2. Incident classification: If the critical services affected criterion is not met, the incident is not classified as major. If there is any report of malicious unauthorized access to the network and information systems, the incident is automatically classified as major.
    3. Incident record creation: Create an incident record. The Details tab includes information such as the case number, source, state, subtype, priority, requester, and other relevant details. Review actions related to the case which are documented in the Activities panel on the Details tab.
    4. Notification: Send an email notification to the DORA analyst to update them on the progress of the case.
    5. Initial report: Automatically collect initial report data. Generate an initial report no later than 24 hours once the incident is classified as major.
    6. Response activation: Activate the response steps for the incident.
    7. Intermediate report: Review the incident report, if the incident has been open for more than three days. Update the incident data in the intermediate report, which is generated no later than 72 hours after the incident is classified as major.
    8. Response review: If the incident is still open, review the response steps.
    9. Final report: Verify if the incident is closed and enrich the notes in the record. Update the final report with the revised notes, which is generated one month after the incident is classified as major.

    Incident reporting timelines

    To report an incident, the following timelines are considered.
    Table 1. Reporting timelines
    Report type Timeline (From the time the incident is classified as major)
    Initial report 24 hours
    Intermediate report 72 hours
    Final report 1 month

    Case generation in Digital resilience incident reporting

    When an incident is marked as critical in the Service Operations Workspace of the Incident Management application as shown in the example, a case is generated in Digital resilience incident reporting.

    Incident.Case.

    The SIR Workspace deploys a similar workflow for reporting high-impact incidents which are then logged in Digital resilience incident reporting.