Reporting incidents from SOW and SIR Workspace in DRIR

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Reporting incidents from SOW and SIR Workspace in DRIR

    When a high-impact, high-urgency incident is created or escalated to high priority in the Service Operations Workspace (SOW) of Incident Management or in the Security Incident Response (SIR) Workspace, it is classified as a major incident. These major incidents are automatically logged and reported within the Digital Resilience Incident Reporting (DRIR) application to ensure consistent tracking and management.

    Show full answer Show less

    Incident Reporting Workflow

    • Classification: Determine if the incident is a major ICT-related event, security breach, or operational payment issue, and assess if critical services are impacted. Without critical service impact, the incident is not classified as major. Any malicious unauthorized network access is automatically classified as major.
    • Case Creation: A Digital Resilience Incident (DRI) case record is created capturing details such as case number, source, state, priority, and requester.
    • Documentation and Notifications: Actions are documented in the Activities panel; email notifications are sent to the DORA analyst to keep them updated.
    • Reporting Phases:
      • Initial Report: Generated within 24 hours after classification as major.
      • Intermediate Report: Reviewed and updated within 72 hours if the incident remains open beyond three days.
      • Final Report: Compiled one month after classification, including closure verification and enriched notes.
    • Response Activation and Review: Response steps are activated upon incident classification and reviewed throughout the incident lifecycle.

    Incident Reporting Timelines

    Report Type Timeline (from major incident classification)
    Initial report Within 24 hours
    Intermediate report Within 72 hours
    Final report One month

    Case Generation in DRIR

    When an incident is marked as critical in the SOW of Incident Management or the SIR Workspace, a corresponding case is automatically generated in the Digital Resilience Incident Reporting application. This integration ensures that all major incidents are centrally logged and managed following the DRIR workflow.

    When a high-impact, high-urgency incident is created or an existing incident is marked as high priority in the Service Operations Workspace (SOW) of Incident Management or Security Incident Response Workspace (SIR Workspace), it is classified as a major incident. These major incidents are then logged and reported in the Digital resilience incident reporting application.

    Incident reporting workflow

    The following example shows a sample workflow for reporting an incident in Incident Management. Incident workflow.
    1. Determine if the reported DRI case is a major ICT-related incident, a security breach, or an operational payment issue. Assess whether any critical services are impacted.
    2. If the critical services affected criterion is not met, the DRI case is not classified as major. If there is any report of malicious unauthorized access to the network and information systems, the incident is automatically classified as major.
    3. Create a DRI case record. The Details tab includes information such as the case number, source, state, subtype, priority, requester, and other relevant details. Review actions related to the case which are documented in the Activities panel on the Details tab.
    4. Notification: Send an email notification to the DORA analyst to update them on the progress of the case.
    5. Initial report: Automatically collect initial report data. Generate an initial report no later than 24 hours once the incident is classified as major.
    6. Response activation: Activate the response steps for the incident.
    7. Intermediate report: Review the incident report, if the incident has been open for more than three days. Update the incident data in the intermediate report, which is generated no later than 72 hours after the incident is classified as major.
    8. Response review: If the incident is still open, review the response steps.
    9. Final report: Verify if the incident is closed and enrich the notes in the record. Update the final report with the revised notes, which is generated one month after the incident is classified as major.

    Incident reporting timelines

    To report an incident, the following timelines are considered.
    Table 1. Reporting timelines
    Report type Timeline (From the time the incident is classified as major)
    Initial report 24 hours
    Intermediate report 72 hours
    Final report 1 month

    Case generation in Digital resilience incident reporting

    When an incident is marked as critical in the Service Operations Workspace of the Incident Management application as shown in the example, a case is generated in Digital resilience incident reporting.

    Incident.Case.

    The SIR Workspace deploys a similar workflow for reporting high-impact incidents which are then logged in Digital resilience incident reporting.