As soon as you receive the high severity alert email or SMS you should access the service immediately and set your status to in progress to acknowledge receipt of the alert.
You are not expected to provide lots of detail at this stage, but if you are able to provide any of the following information without slowing down your ability to acknowledge straight away then please do so.
This information can then feed into your response plan:
- what you have already done
- what you are going to do
- how many systems are affected (Workstations, Servers, Firewalls, etc...)
- what your barriers to remediating might be
- what management sign-offs are required
- when you expect to complete remediation.
If you are fairly confident that an alert is not applicable for your organisation, it is still helpful to provide a response plan, even if you then change your status shortly after.