Incident Management Process Map

Process Asset Library Office of Information and Technology Table of Contents Incident Management Process Map ...... 1 Incident Management Description and Goals ...... 9 Description ...... 9 Goals ...... 9 Incident Management RACI Information ...... 10 Incident Management Associated Artifacts Information ...... 24 Incident Management Tools and Web Sites Information ...... 24 Incident Management Standards Information ...... 24 Incident Management Process ...... 25 Process Activity Name: INM-01 Route Record ...... 25 Process Activity Name: INM-01.01 Identify Need or Issue ...... 25 Process Activity Name: INM-01.02 Log & Submit Record ...... 26 Process Activity Name: INM-01.03 Receive & Review Record ...... 27 Process Activity Name: INM-01.04 Determine what Process Should Handle the Record ...... 27 Process Activity Name: INM-01.05 What Process should the Record be Routed to? ...... 28 Process Activity Name: INM-01.06 Enterprise Service Request Management Practice ...... 29 Process Activity Name: INM-01.07 Inform Requestor & Close Incident ...... 30 Process Activity Name: INM-02 Classify & Prioritize Incident ...... 31 Process Activity Name: INM-02.01 Receive and Review Incident ...... 32 Process Activity Name: INM-02.02 Suspected to be Cybersecurity or Privacy Related? ...... 32 Process Activity Name: INM-02.03 Escalate To Support Specialist (Tier 2-3) 33 Process Activity Name: INM-02.04 Resolve and Close Security Incident ...... 34 Process Activity Name: INM-02.05 Collect Information on Incident ...... 35 Process Activity Name: INM-02.06 Has User Already Logged a Ticket for this Issue? ...... 36 Process Activity Name: INM-02.07 Notify User of Existing Ticket ...... 36 Process Activity Name: INM-02.08 Classify Incident ...... 37 Process Activity Name: INM-02.09 Is There a Parent Ticket? ...... 38 Process Activity Name: INM-02.10 Link New Ticket to Existing Parent Ticket ...... 38 Process Activity Name: INM-02.11 Collect Additional Information ...... 39 Process Activity Name: INM-02.12 Prioritize Incident ...... 40 Process Activity Name: INM-03 Assess & Investigate Incident ...... 41 Process Activity Name: INM-03.01 Conduct Initial Investigation ...... 41

Incident Management ii Process Activity Name: INM-03.02 Major Incident? ...... 42 Process Activity Name: INM-03.03 Review & Confirm that this is a Major Incident ...... 43 Process Activity Name: INM-03.04 Major Incident? ...... 44 Process Activity Name: INM-03.05 Execute Major Incident Procedures ...... 44 Process Activity Name: INM-04 Resolve Incident ...... 45 Process Activity Name: INM-04.01 Research Solution ...... 46 Process Activity Name: INM-04.02 Solution Available? ...... 47 Process Activity Name: INM-04.03 Retrieve & Attempt Solution ...... 48 Process Activity Name: INM-04.04 Verify Incident is Resolved ...... 49 Process Activity Name: INM-04.05 Incident Resolved? ...... 49 Process Activity Name: INM-04.06 Escalate & Reclassify as Necessary ...... 50 Process Activity Name: INM-04.07 Review Ticket & Update Assignment ...... 51 Process Activity Name: INM-04.08 Conduct Detailed Analysis...... 52 Process Activity Name: INM-04.09 Cybersecurity or Privacy-related? ...... 53 Process Activity Name: INM-04.10 Management Review Required? ...... 53 Process Activity Name: INM-04.11 Initiate Management Review Procedure . 54 Process Activity Name: INM-04.12 Reclassify Incident? ...... 55 Process Activity Name: INM-04.13 Reclassify Incident ...... 56 Process Activity Name: INM-04.14 Escalation Required? ...... 56 Process Activity Name: INM-04.15 Is a Change Necessary? ...... 57 Process Activity Name: INM-04.16 Change Control Management ...... 58 Process Activity Name: INM-04.17 Escalate to the Appropriate Group ...... 59 Process Activity Name: INM-04.18 Review Ticket & Update Assignment ...... 60 Process Activity Name: INM-04.19 Conduct Detailed Analysis...... 60 Process Activity Name: INM-04.20 Cybersecurity or Privacy-related? ...... 61 Process Activity Name: INM-04.21 Attempt Resolution ...... 62 Process Activity Name: INM-04.22 Verify Incident is Resolved ...... 63 Process Activity Name: INM-04.23 Resolve and Close Security Incident ...... 64 Process Activity Name: INM-04.23.01 Conduct Analysis ...... 64 Process Activity Name: INM-04.23.02 Is Incident Privacy Related? ...... 65 Process Activity Name: INM-04.23.03 Resolve Privacy Incident...... 66 Process Activity Name: INM-04.23.04 Is this a Major Incident? ...... 67 Process Activity Name: INM-04.23.05 Escalate Major Incident Procedure .... 68 Process Activity Name: INM-04.23.06 Develop Mitigation ...... 69 Process Activity Name: INM-04.23.07 Develop Containment ...... 69 Process Activity Name: INM-04.23.08 Develop Recovery ...... 70 Process Activity Name: INM-04.23.09 Serious Incident Resolved? ...... 71

Incident Management iii Process Activity Name: INM-04.23.10 Close Incident ...... 72 Process Activity Name: INM-04.24 Attempt Resolution ...... 72 Process Activity Name: INM-04.25 Verify Incident is Resolved ...... 73 Process Activity Name: INM-05 Close Incident ...... 74 Process Activity Name: INM-05.01 Flag for Root Cause Analysis as Needed 75 Process Activity Name: INM-05.02 Problem Management ...... 75 Process Activity Name: INM-05.03 Flag for Knowledge Article as Needed ... 76 Process Activity Name: INM-05.04 Knowledge Management ...... 77 Process Activity Name: INM-05.05 Close Incident ...... 78

Incident Management iv Incident Management Process Map

The links in this process map are inactive. Please scroll to view activity data. 1 The links in this process map are inactive. Please scroll to view activity data. 2 The links in this process map are inactive. Please scroll to view activity data. 3 The links in this process map are inactive. Please scroll to view activity data. 4 The links in this process map are inactive. Please scroll to view activity data. 5 The links in this process map are inactive. Please scroll to view activity data. 6 Process: Incident Management Overview: The process map for Incident Management cycles through the following process and review activities: INM-01 Route Record INM-01.01 Identify Need or Issue INM-01.02 Log & Submit Record INM-01.03 Receive & Review Record INM-01.04 Determine what Process Should Handle the Record INM-01.05 What Process should the Record be Routed to? INM-01.06 Enterprise Service Request Management Practice INM-01.07 Inform Requestor & Close Incident INM-02 Classify & Prioritize Incident INM-02.01 Receive and Review Incident INM-02.02 Suspected to be Cybersecurity or Privacy Related? INM-02.03 Escalate To Support Specialist (Tier 2-3) INM-02.04 Resolve and Close Security Incident INM-02.05 Collect Information on Incident INM-02.06 Has User Already Logged a Ticket for this Issue? INM-02.07 Notify User of Existing Ticket INM-02.08 Classify Incident INM-02.09 Is There a Parent Ticket? INM-02.10 Link New Ticket to Existing Parent Ticket INM-02.11 Collect Additional Information INM-02.12 Prioritize Incident INM-03 Assess & Investigate Incident INM-03.01 Conduct Initial Investigation INM-03.02 Major Incident? INM-03.03 Review & Confirm that this is a Major Incident INM-03.04 Major Incident? INM-03.05 Execute Major Incident Procedures INM-04 Resolve Incident INM-04.01 Research Solution INM-04.02 Solution Available? INM-04.03 Retrieve & Attempt Solution INM-04.04 Verify Incident is Resolved INM-04.05 Incident Resolved? INM-04.06 Escalate & Reclassify as Necessary INM-04.07 Review Ticket & Update Assignment INM-04.08 Conduct Detailed Analysis INM-04.09 Cybersecurity or Privacy-related? INM-04.10 Management Review Required? INM-04.11 Initiate Management Review Procedure INM-04.12 Reclassify Incident? INM-04.13 Reclassify Incident INM-04.14 Escalation Required?

Incident Management 7 INM-04.15 Is a Change Necessary? INM-04.16 Change Control Management INM-04.17 Escalate to the Appropriate Group INM-04.18 Review Ticket & Update Assignment INM-04.19 Conduct Detailed Analysis INM-04.20 Cybersecurity or Privacy-related? INM-04.21 Attempt Resolution INM-04.22 Verify Incident is Resolved INM-04.23 Resolve and Close Security Incident INM-04.23.01 Conduct Analysis INM-04.23.02 Is Incident Privacy Related? INM-04.23.03 Resolve Privacy Incident INM-04.23.04 Is this a Major Incident? INM-04.23.05 Escalate Major Incident Procedure INM-04.23.06 Develop Mitigation INM-04.23.07 Develop Containment INM-04.23.08 Develop Recovery INM-04.23.09 Serious Incident Resolved? INM-04.23.10 Close Incident INM-04.24 Attempt Resolution INM-04.25 Verify Incident is Resolved INM-05 Close Incident INM-05.01 Flag for Root Cause Analysis as Needed INM-05.02 Problem Management INM-05.03 Flag for Knowledge Article as Needed INM-05.04 Knowledge Management INM-05.05 Close Incident

Incident Management 8 Incident Management Description and Goals Description The Incident Management process provides details on restoring normal service operation as quickly as possible and minimizing the adverse impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained within Service Level Agreement (SLA) limits. Goals The goals of Incident Management are: To restore normal service operation within SLA limits To provide effective and efficient management of the lifecycle of incidents cradle to grave To follow Swift Action Triage (SWAT) Protocol, as applicable

Incident Management 9 Incident Management RACI Information The following describes the RACI information for this process:

INM-01.01 Identify Need or Issue

Responsible Role: Requestor Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor Informed Role: Requestor

INM-01.02 Log & Submit Record

Responsible Role: Requestor Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor Informed Role: Requestor

INM-01.03 Receive & Review Record

Responsible Role: First Contact Support (Tier 1) Accountable Role: Requestor Consulted Role: None Listed Informed Role: None Listed

INM-01.04 Determine what Process Should Handle the Record

Responsible Role: First Contact Support (Tier 1) Accountable Role: Requestor Consulted Role: None Listed Informed Role: None Listed

INM-01.05 What Process should the Record be Routed to?

Responsible Role: First Contact Support (Tier 1)

Incident Management 10 Accountable Role: Incident Manager Consulted Role: None Listed Informed Role: None Listed

INM-01.06 Enterprise Service Request Management Practice

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: None Listed Informed Role: None Listed

INM-01.07 Inform Requestor & Close Incident

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.01 Receive and Review Incident

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.02 Suspected to be Cybersecurity or Privacy Related?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: None Listed Informed Role: None Listed

INM-02.03 Escalate To Support Specialist (Tier 2-3)

Incident Management 11 Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor; Tier 2-3 Support Informed Role: Requestor; Tier 2-3 Support

INM-02.04 Resolve and Close Security Incident

Responsible Role: Tier 2-3 Support Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor Informed Role: Incident Manager; Requestor

INM-02.05 Collect Information on Incident

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.06 Has User Already Logged a Ticket for this Issue?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.07 Notify User of Existing Ticket

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

Incident Management 12 INM-02.08 Classify Incident

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.09 Is There a Parent Ticket?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.10 Link New Ticket to Existing Parent Ticket

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.11 Collect Additional Information

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

INM-02.12 Prioritize Incident

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor Informed Role: Requestor

Incident Management 13 INM-03.01 Conduct Initial Investigation

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: None Listed

INM-03.02 Major Incident?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: None Listed

INM-03.03 Review & Confirm that this is a Major Incident

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: None Listed

INM-03.04 Major Incident?

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: None Listed

INM-03.05 Execute Major Incident Procedures

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3)

Incident Management 14 Informed Role: None Listed

INM-04.01 Research Solution

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.02 Solution Available?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.03 Retrieve & Attempt Solution

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.04 Verify Incident is Resolved

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.05 Incident Resolved?

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager

Incident Management 15 Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.06 Escalate & Reclassify as Necessary

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.07 Review Ticket & Update Assignment

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.08 Conduct Detailed Analysis

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor; Support Specialist (Tier 2)

INM-04.09 Cybersecurity or Privacy-related?

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.10 Management Review Required?

Responsible Role: Incident Manager

Incident Management 16 Accountable Role: First Contact Support (Tier 1) Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.11 Initiate Management Review Procedure

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.12 Reclassify Incident?

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.13 Reclassify Incident

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.14 Escalation Required?

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: None Listed Informed Role: None Listed

INM-04.15 Is a Change Necessary?

Incident Management 17 Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: None Listed Informed Role: None Listed

INM-04.16 Change Control Management

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: None Listed Informed Role: Requestor

INM-04.17 Escalate to the Appropriate Group

Responsible Role: Incident Manager Accountable Role: First Contact Support (Tier 1) Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.18 Review Ticket & Update Assignment

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

INM-04.19 Conduct Detailed Analysis

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

Incident Management 18 INM-04.20 Cybersecurity or Privacy-related?

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

INM-04.21 Attempt Resolution

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

INM-04.22 Verify Incident is Resolved

Responsible Role: Support Specialist (Tier 3) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

INM-04.23.01 Conduct Analysis

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.02 Is Incident Privacy Related?

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

Incident Management 19 INM-04.23.03 Resolve Privacy Incident

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.04 Is this a Major Incident?

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.05 Escalate Major Incident Procedure

Responsible Role: Incident Manager Accountable Role: Support Specialist (Tier 2) Consulted Role: First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.06 Develop Mitigation

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.07 Develop Containment

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3)

Incident Management 20 Informed Role: Requestor

INM-04.23.08 Develop Recovery

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.09 Serious Incident Resolved?

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.23.10 Close Incident

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.24 Attempt Resolution

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 3) Informed Role: Requestor

INM-04.25 Verify Incident is Resolved

Responsible Role: Support Specialist (Tier 2) Accountable Role: Incident Manager

Incident Management 21 Consulted Role: Support Specialist (Tier 2) Informed Role: Requestor

INM-05.01 Flag for Root Cause Analysis as Needed

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-05.02 Problem Management

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-05.03 Flag for Knowledge Article as Needed

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-05.04 Knowledge Management

Responsible Role: First Contact Support (Tier 1) Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

INM-05.05 Close Incident

Responsible Role: First Contact Support (Tier 1)

Incident Management 22 Accountable Role: Incident Manager Consulted Role: Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role: Requestor

Incident Management 23 Incident Management Associated Artifacts Information Associated Artifacts information (including hyperlinks) for this process include: Incident Record Template Incident Ticket Record Template Request for Change Incident Management Tools and Web Sites Information The Tools and Web Sites associated with this process (including hyperlinks) include: IT Service Management Incident Management Standards Information Standards associated with this process (including hyperlinks) include: NIST Special Publication 800-160 V1, Systems Security Engineering VA Directive 6500, VA Cybersecurity Program VA Handbook 6500, Risk Management Framework for VA Information Systems - Tier 3: VA Information Security Program VA Incident Management Process Definition Guide

Incident Management 24 Incident Management Process Process Activity Name: INM-01 Route Record Previous Activities Process Begins Next Activities INM-01.01 Identify Need or Issue Description The sub-process, Route Record, cycles through the following dependent activities: - Identify Need or Issue - Log & Submit Record - Receive & Review Record - Determine What Process Should Handle the Record - What Process Should the Record be Routed to? - Enterprise Service Request Management Practice - Inform Requester & Close Incident Process Activity Name: INM-01.01 Identify Need or Issue Previous Activities INM-01 Route Record Next Activities INM-01.02 Log & Submit Record Description The Requester submits a new record for the incident and identifies the need or issue. Input Incident Output Incident Record Associated Artifacts Record Template Responsible Role Requestor Accountable Role First Contact Support (Tier 1)

Incident Management 25 Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info Note: The requester may or may not be the end-user or affected party, as in certain cases those individuals may be unaware of an issue Process Activity Name: INM-01.02 Log & Submit Record Previous Activities INM-01.01 Identify Need or Issue Next Activities INM-01.03 Receive & Review Record Description The Requester contacts First Contact Support through an authorized channel to submit an incident record about the need or issue. Input Incident Record Output Logged Incident Record Associated Artifacts Incident Record Template Responsible Role Requestor Accountable Role First Contact Support (Tier 1) Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management

Incident Management 26 More Info Refer to Appendix Section 6.5 for Incident Form Guidelines and Appendix Section 6.2 for Impact, Urgency & Priority guidelines. Process Activity Name: INM-01.03 Receive & Review Record Previous Activities INM-01.02 Log & Submit Record Next Activities INM-01.04 Determine what Process Should Handle the Record Description The First Contact Support (Tier 1) Representative receives and reviews the incident record. The First Contact Support opens the incident record to understand the need or issue, leveraging any available information on configuration items (CIs), location, etc. Input Incident Record Output Received Incident Record Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Requestor Consulted Role None Listed Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-01.04 Determine what Process Should Handle the Record Previous Activities

Incident Management 27 INM-01.03 Receive & Review Record Next Activities INM-01.05 What Process should the Record be Routed to? Description The First Contact Support (Tier 1) reviews the record and determines what Process Should Handle the Record. Based on the details of the need or issue, the First Contact Support (Tier 1) determines if it is an incident, service request or a request for change (RFC). In some cases, service requests or requests for changes may be incorrectly submitted as incidents. Work notes must be captured along with categorization in advance of routing. Input Incident Record Request for Change Output Incident Record Determination Associated Artifacts Incident Record Template Request for Change Responsible Role First Contact Support (Tier 1) Accountable Role Requestor Consulted Role None Listed Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-01.05 What Process should the Record be Routed to? Previous Activities INM-04 Resolve Incident Next Activities

Incident Management 28 If "Request": INM-01.06 Enterprise Service Request Management Practice Or If "Incident": INM-02 Classify & Prioritize Incident Or If "Request for Change": INM-01.07 Inform Requestor & Close Incident Description The First Contact Support (Tier 1) representative makes a determination of how to route the record. If it is a Request Fulfillment record it will be forwarded to the Request Fulfillment Request, if it is an Incident it will move to the next sub-process to classify and prioritize the Incident, and if it is a request for Change the Requestor, the process continues to the next activity, Request for Change. Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role None Listed Informed Role None Listed Process Activity Name: INM-01.06 Enterprise Service Request Management Practice Previous Activities INM-01.05 What Process should the Record be Routed to? Next Activities If "Go to Enterprise Service Request Management Practice": Enterprise Service Request Management Practices Process Or If "Stay in Incident Management": Process Ends Description

Incident Management 29 The First Contact Support (Tier 1) uses the Enterprise Service Request Management Practice process which outlines the scope, inputs, outputs, roles and responsibilities, and process flows supporting the Enterprise Service Request Management Practice. Input Record Output Updated Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role None Listed Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-01.07 Inform Requestor & Close Incident Previous Activities INM-01.05 What Process should the Record be Routed to? Next Activities Process Ends Description The First Contact Support (Tier 1) representative informs the requester as to the nature of the request as it pertains to Change Management and closes the incident. Input Record Output Closed Record

Incident Management 30 Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02 Classify & Prioritize Incident Previous Activities INM-01.05 What Process should the Record be Routed to? Next Activities INM-02.01 Receive and Review Incident Description The sub-process, Classify & Prioritize Incident, cycles through the following dependent activities: - Receive and Review Incident - Suspected to be Cybersecurity or Privacy Related? - Escalate To Support Specialist (Tier 2/3) - Resolve and Close Security Incident - Collect Information on Incident - Has User Already Logged a Ticket for this Issue? - Notify User of Existing Ticket - Classify Incident - Is There a Parent Ticket? - Link New Ticket to Existing Parent Ticket - Collect Additional Information

Incident Management 31 - Prioritize Incident Process Activity Name: INM-02.01 Receive and Review Incident Previous Activities INM-02 Classify & Prioritize Incident Next Activities INM-02.02 Suspected to be Cybersecurity or Privacy Related? Description The First Contact Support (Tier 1) receives and reviews the Incident Record. The First Contact Support opens the ticket and reviews the content to understand the need or issue. Input Incident Record Output Received and Reviewed Incident Record Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.02 Suspected to be Cybersecurity or Privacy Related? Previous Activities INM-02.01 Receive and Review Incident Next Activities If "YES":

Incident Management 32 INM-02.03 Escalate To Support Specialist (Tier 2-3) Or If "NO": INM-02.05 Collect Information on Incident Description The First Contact Support (Tier 1) representative determines whether the incident is suspected to be cybersecurity-related in accordance with Security Playbook(s), e.g., NIST SP 800-61, VA Handbook 6500, and VA NSOC Cyber-Security Response Plan). (Yes) or not (No). Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role None Listed Informed Role None Listed Process Activity Name: INM-02.03 Escalate To Support Specialist (Tier 2-3) Previous Activities INM-02.02 Suspected to be Cybersecurity or Privacy Related? Next Activities INM-02.04 Resolve and Close Security Incident Description The First Contact Support (Tier 1) determines the escalation group which the incident should be forwarded. The initial classification may assist in determining the appropriate escalation point for a given ticket.

Urgency, impact and priority should be entered according to guidance from Security Playbooks/SOPs. See Appendix Section 6.2 for Impact, Urgency, and Priority guidelines. Input Incident Record Output Escalated Incident Record Associated Artifacts

Incident Management 33 None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor; Tier 2-3 Support Informed Role Requestor; Tier 2-3 Support Tools and Websites IT Service Management More Info Incident reclassification, if applicable, must be captured along with work notes in advance of escalation or re-routing. Process Activity Name: INM-02.04 Resolve and Close Security Incident Previous Activities INM-02.03 Escalate To Support Specialist (Tier 2-3) Next Activities Process Ends Description The Tier 2-3 Support staff resolves and closes the security Incident per the Security Incident Playbook. Input Incident Record Output Resolved Incident Record Associated Artifacts None Listed Responsible Role Tier 2-3 Support Accountable Role First Contact Support (Tier 1)

Incident Management 34 Consulted Role Requestor Informed Role Incident Manager; Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.05 Collect Information on Incident Previous Activities INM-02.02 Suspected to be Cybersecurity or Privacy Related? Next Activities INM-02.06 Has User Already Logged a Ticket for this Issue? Description The First Contact Support (Tier 1) collects information on the incident. If the ticket lacks details, the analyst can contact the logger to request additional information. Additional information is captured in the work notes. Input Incident Record Output Updated Incident Record Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management

Incident Management 35 More Info None Listed Process Activity Name: INM-02.06 Has User Already Logged a Ticket for this Issue? Previous Activities INM-02.05 Collect Information on Incident Next Activities If "YES": INM-02.07 Notify User of Existing Ticket Or If "NO": INM-02.08 Classify Incident Description The First Contact Support (Tier 1) reviews records for the Requestor to determine whether the incident has been reported and logged for that specific incident. (Yes or No decision) Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Process Activity Name: INM-02.07 Notify User of Existing Ticket Previous Activities INM-02.06 Has User Already Logged a Ticket for this Issue? Next Activities Process Ends Description If the Requestor had already logged a ticket for the issue, the First Contact Support (Tier 1) representative informs the Requestor and provides her/him with the status of the ticket and updates the ticket with work notes. Input

Incident Management 36 Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.08 Classify Incident Previous Activities INM-02.06 Has User Already Logged a Ticket for this Issue? Next Activities INM-02.09 Is There a Parent Ticket? Description The First Contact Support (Tier1) representative classifies the incident by choosing the appropriate impacted service/configuration items (CIs), or location. Input Incident Record Output Classified Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1)

Incident Management 37 Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.09 Is There a Parent Ticket? Previous Activities INM-02.08 Classify Incident Next Activities If "YES": INM-02.10 Link New Ticket to Existing Parent Ticket Or If "NO": INM-02.11 Collect Additional Information Description The First Contact Support (Tier 1), using key words, verifies if the declared incident is related to any existing incident(s). (YES/NO Decision) Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Process Activity Name: INM-02.10 Link New Ticket to Existing Parent Ticket Previous Activities

Incident Management 38 INM-02.09 Is There a Parent Ticket? Next Activities Process Ends Description The First Contact Support (Tier 1) representative links the tickets to reflect the relationship (e.g., parent-child). Resolution activities will continue against the parent incident. Once the parent incident is closed, all child incidents will be closed. Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.11 Collect Additional Information Previous Activities INM-02.09 Is There a Parent Ticket? Next Activities INM-02.12 Prioritize Incident Description If an existing parent ticket exists, the First Contact Support (Tier 1) representative collects more information on the incident, as necessary, and captures the information in the work notes.

Incident Management 39 Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-02.12 Prioritize Incident Previous Activities INM-02.11 Collect Additional Information Next Activities INM-03 Assess & Investigate Incident Description The First Contact Support (Tier 1) representative prioritizes the incident. Based on the information collected and the incident’s impact and urgency, the priority is automatically calculated. See Appendix Section 6.2 for Impact, Urgency, and Priority guidelines. Priority assignment can be overwritten by the analyst. Input Incident Record Output Prioritized Incident Record Associated Artifacts

Incident Management 40 None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-03 Assess & Investigate Incident Previous Activities INM-02.12 Prioritize Incident Next Activities INM-03.01 Conduct Initial Investigation Description The sub-process, Assess & Investigate Incident, cycles through the following dependent activities: - Conduct Initial Investigation - Major Incident? - Review & Confirm that this is a Major Incident - Major Incident? - Execute Major Incident Procedures Process Activity Name: INM-03.01 Conduct Initial Investigation Previous Activities INM-03 Assess & Investigate Incident Next Activities INM-03.02 Major Incident? Description

Incident Management 41 The First Contact Support (Tier 1) representative, using the knowledgebase, the known error database and valuable information on Configuration Items (CIs), investigates the incident. Additional information is captured in the work notes. Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-03.02 Major Incident? Previous Activities INM-03.01 Conduct Initial Investigation Next Activities If "YES": INM-03.03 Review & Confirm that this is a Major Incident Or If "NO": INM-04 Resolve Incident Description The First Contact Support (Tier 1) makes a determination if the Incident is a Major Incident of not. (Yes) or not (No)

Incident Management 42 An incident for which the degree of impact on the user community is extreme, or where the disruption is excessive and which requires a response that is above and beyond that given to normal incidents. It may include any failure to an application, system, or service that will result in financial impact, reputational impact, or a catastrophic loss of business services, if not resolved within a timely manner. If the incident priority previously selected is 1 or 2, the analyst informs the Incident manager that this is a major incident. Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role None Listed Process Activity Name: INM-03.03 Review & Confirm that this is a Major Incident Previous Activities INM-03.02 Major Incident? Next Activities INM-03.04 Major Incident? Description The Incident Manager reviews the Incident Record and confirms that the incident meets the guidelines of a major incident. The manager reviews the details of the incident and the results of the initial investigation and confirms whether the incident is major or not. Input Incident Record Output Confirmed Major Incident Record Associated Artifacts None Listed Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1)

Incident Management 43 Consulted Role Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-03.04 Major Incident? Previous Activities INM-03.03 Review & Confirm that this is a Major Incident Next Activities If "YES": INM-03.05 Execute Major Incident Procedures Or If "NO": INM-04 Resolve Incident Description The Incident Manager determines if the incident falls into the guidelines and meets the criteria of a major incident (Yes) or not (No). Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role None Listed Process Activity Name: INM-03.05 Execute Major Incident Procedures Previous Activities INM-03.04 Major Incident? Next Activities INM-04 Resolve Incident

Incident Management 44 Description The Incident Manager initiates the Major Incident Procedures. Activities include escalating to the appropriate tier for resolution and informing the appropriate OIT executives via the appropriate hierarchic escalation path. Refer to Appendix Section 6.4 for Major Incident SOP guidelines. Input Incident Record Output Executed Major Incident Procedures Associated Artifacts None Listed Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Requestor; Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role None Listed Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04 Resolve Incident Previous Activities INM-03.02 Major Incident? Or INM-03.04 Major Incident? Or INM-03.05 Execute Major Incident Procedures Next Activities INM-04.01 Research Solution Description

Incident Management 45 The sub-process, Resolve Incident, cycles through the following dependent activities: - Research Solution - Solution Available? - Retrieve & Attempt Solution - Verify Incident is Resolved - Incident Resolved? - Escalate & Reclassify as Necessary - Review Ticket & Update Assignment - Conduct Detailed Analysis - Cybersecurity or Privacy-related? - Resolve & Close Security Incident - Management Review Required? - Initiate Management Review Procedure - Reclassify Incident? - Escalation Required? - Escalate to the Appropriate Group - Is a Change Necessary? - Change Control Management - Review Ticket & Update Assignment - Conduct Detailed Analysis - Cybersecurity or Privacy-related? - Conduct Detailed Analysis - Attempt Resolution - Verify Incident is Resolved Process Activity Name: INM-04.01 Research Solution Previous Activities INM-04 Resolve Incident Next Activities INM-04.02 Solution Available? Description The First Contact Support (Tier 1) analyst tries to find a workaround or a resolution to the incident using the known errors database and the knowledge base. Additional information is captured in the work notes.

Incident Management 46 Input Incident Record Output Researched Incident Record Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.02 Solution Available? Previous Activities INM-04.01 Research Solution Next Activities If "YES": INM-04.03 Retrieve & Attempt Solution Or If "NO": INM-04.06 Escalate & Reclassify as Necessary Description The First Contact Support (Tier 1) analyst determines whether a workaround or solution is available (Yes) or not (No). If there is no workaround or solution available, they escalate the incident to the appropriate group of Support Specialists. Responsible Role First Contact Support (Tier 1)

Incident Management 47 Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.03 Retrieve & Attempt Solution Previous Activities INM-04.02 Solution Available? Next Activities INM-04.04 Verify Incident is Resolved Description The First Contact Support (Tier 1) analyst attempts to resolve the solution using defined scripts, a knowledge article from the knowledge base, or identifies a workaround highlighted in the known error database. The analyst references the knowledge article or the known error record in the incident ticket. Input Incident Record Output Incident Record Solution Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info

Incident Management 48 Activities must be completed within the SLA. Refer to Appendix Section 6.3 for Incident SLA targets. Functional and hierarchic escalation must be executed prior to breach of SLA. If SLA breach occurs, Incident Manager must notify Leadership. Process Activity Name: INM-04.04 Verify Incident is Resolved Previous Activities INM-04.03 Retrieve & Attempt Solution Next Activities INM-04.05 Incident Resolved? Description Sufficient testing must be performed to ensure that the recovery action is complete and that normal state service operation has been restored. Update the incident ticket with resolution details. Input Incident Record Output Resolved Incident Record Associated Artifacts Incident Record Template Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info The First Contact Support (Tier 1) may contact the Requestor to verify that the incident is resolved on her/his end. Process Activity Name: INM-04.05 Incident Resolved? Previous Activities INM-04.04 Verify Incident is Resolved

Incident Management 49 Next Activities If "YES": INM-05 Close Incident Or If "NO": INM-04.06 Escalate & Reclassify as Necessary Description The First Contact Support (Tie 1) representative determines if the incident is resolved (Yes) or not (No). Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.06 Escalate & Reclassify as Necessary Previous Activities INM-04.05 Incident Resolved? Next Activities INM-04.07 Review Ticket & Update Assignment Description The First Contact Support (Tier 1) representative escalates the Incident to the Support Specialist (Tier 2) representative who determines the escalation group to which the incident should be forwarded. The initial classification may assist in determining the appropriate escalation point for a given ticket. Incident reclassification, if applicable, must be captured along with work notes in advance of escalation or re-routing. Input Incident Record Output Escalated Incident Record Reclassified Incident Record Associated Artifacts

Incident Management 50 Incident Ticket Request for Change Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.07 Review Ticket & Update Assignment Previous Activities INM-04.06 Escalate & Reclassify as Necessary Next Activities INM-04.08 Conduct Detailed Analysis Description The Support Specialist reviews the ticket and updates the new incident owner assigned. The Support Specialist notifies the new incident owner of the assignment, reviews the audit log to determine actions taken to resolve, ensures the incident assignment is properly updated, and confirms incident classification, impacted CIs and associated records. Input Incident Record Output Updated Incident Record Associated Artifacts Incident Ticket Request for Change Responsible Role Support Specialist (Tier 2)

Incident Management 51 Accountable Role Incident Manager Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.08 Conduct Detailed Analysis Previous Activities INM-04.07 Review Ticket & Update Assignment Next Activities INM-04.09 Cybersecurity or Privacy-related? Description The assigned Support Specialist (Tier 2) conducts a detailed analysis of the incident and transfers the incident to other Support Specialist (Tier 2) groups, as necessary. The assigned Support Specialist ensures impacted Configuration Items (CIs) are updated prior to transfer, as necessary, and updates the work notes of the incident ticket with the diagnosis progress. Input Incident Ticket Change Request Output Analyzed Incident Ticket Associated Artifacts Incident Ticket Request for Change Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3)

Incident Management 52 Informed Role Requestor; Support Specialist (Tier 2) Tools and Websites IT Service Management More Info Activities must be completed within the SLA. Refer to Appendix Section 6.3 for Incident SLA timeframes. Functional and hierarchic escalation must be executed prior to breach of SLA. If SLA breach occurs, Incident Manager must notify Leadership. Process Activity Name: INM-04.09 Cybersecurity or Privacy-related? Previous Activities INM-04.08 Conduct Detailed Analysis Next Activities If "YES": INM-04.10 Management Review Required? Or If "NO": INM-04.11 Initiate Management Review Procedure Description The Support Specialist (Tier 2) determines whether the incident is suspected to be cybersecurity- related in accordance with Security Playbook(s), e.g., NIST SP 800-61, VA Handbook 6500, VA NSOC Cyber-Security Response Plan (Yes) or not (No). Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.10 Management Review Required? Previous Activities INM-04.09 Cybersecurity or Privacy-related? Next Activities If "YES":

Incident Management 53 INM-04.11 Initiate Management Review Procedure Or If "NO": INM-04.14 Escalation Required? Description The Incident Manager reviews the Incident Record to determine if a Management Review is required (Yes) or Not (No). If the incident has been escalated or bounced around too many times, if there is no known error and workaround related to the incident or if SLAs have been breached, the Incident Manager can decide to trigger the Management Review procedure. Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.11 Initiate Management Review Procedure Previous Activities INM-04.10 Management Review Required? Next Activities INM-04.12 Reclassify Incident? Description The Incident Manager reviews and initiates the Management Review procedure for the incident record. The goal of the review is to ensure that somebody takes ownership of the incident and resolves it. In order to do so, Management can decide to trigger the major incident procedure or to forward the incident to Problem Management. Depending on the outcome, the review activity may flow back to different parts of the Incident Management process for rework. Input Incident Record Output Management Review Initiated Associated Artifacts None Listed

Incident Management 54 Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.12 Reclassify Incident? Previous Activities INM-04.11 Initiate Management Review Procedure Next Activities If "YES": INM-04.13 Reclassify Incident Or If "NO": Process Ends Description The Incident Manager determines if the incident needs to be reclassified (Yes) or not (No). The Incident Manages uses the analysis performed by the Support Specialist and Incident Manager to determine whether the incident was originally categorized with respect to the appropriate impacted service/CIs, location, etc. Incident reclassification, if applicable, must be captured along with work notes in advance of escalation or re-routing. Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role

Incident Management 55 Requestor Process Activity Name: INM-04.13 Reclassify Incident Previous Activities INM-04.12 Reclassify Incident? Next Activities Process Ends Description The Support Specialist (Tier 3) representative reclassifies the incident based upon recommendations from the Incident Manager. The Support Specialist (Tier 3) reclassifies the Incident with respect to the appropriate impacted service/ Configuration Items (CIs), location, etc. The Incident reclassification must be captured along with work notes in advance of escalation or re-routing. Input Incident Record Output Reclassified Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 3) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info (Note: Depending on decision made by the Incident Management, incident may flow back to different parts of the Incident Management process for rework, routed to Problem Management, or be declared a major incident). Process Activity Name: INM-04.14 Escalation Required? Previous Activities

Incident Management 56 INM-04.10 Management Review Required? Next Activities If "YES": INM-04.17 Escalate to the Appropriate Group Or If "NO": INM-04.15 Is a Change Necessary? Description The Incident Manager determines if Incident requires escalation to an internal team with greater expertise or to the vendor (Yes) or not (No). They may also determine if the Incident needs to transfer to a different group within the same support tier. If the incident needs further investigation, it doesn’t mean that it necessarily needs to be escalated. The same group can maintain ownership for additional diagnosis and resolution. Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role None Listed Informed Role None Listed Process Activity Name: INM-04.15 Is a Change Necessary? Previous Activities INM-04.14 Escalation Required? Next Activities If "YES": INM-04.16 Change Control Management Or If "NO": INM-04.24 Attempt Resolution Description The Incident Manager determines if a request for change must be raised to resolve the incident (Yes) or not (No), based upon inputs from the Support Specialists. Responsible Role

Incident Management 57 Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role None Listed Informed Role None Listed Process Activity Name: INM-04.16 Change Control Management Previous Activities INM-04.15 Is a Change Necessary? Next Activities If "Go to Change Control Management": Change Control Management Process Or If "Stay In Incident Management": INM-04.24 Attempt Resolution Description The Incident Manager submits a change request in the Change Control Management process per the Change Control Management guidelines. Input Incident Record Output Change Management Request Associated Artifacts None Listed Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role None Listed Informed Role Requestor

Incident Management 58 Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.17 Escalate to the Appropriate Group Previous Activities INM-04.14 Escalation Required? Next Activities INM-04.18 Review Ticket & Update Assignment Description The Incident Manager escalates the Incident Record to the Support Specialist (Tier 2) representative based upon a determination that : 1) the incident requires escalation to an internal team with greater expertise, 2) the incident requires escalation to the vendor, or 3) the incident must be transferred to a different group within the same support tier. Incident reclassification, if applicable, must be captured along with work notes in advance of escalation or re-routing. Input Incident Record Output Escalated Incident Record Associated Artifacts None Listed Responsible Role Incident Manager Accountable Role First Contact Support (Tier 1) Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed

Incident Management 59 Process Activity Name: INM-04.18 Review Ticket & Update Assignment Previous Activities INM-04.17 Escalate to the Appropriate Group Next Activities INM-04.19 Conduct Detailed Analysis Description The Support Specialist (Tier 3) representative reviews and updates the Incident Record with the point of contact information and next steps. The new incident owner is informed that the incident has been assigned to her/him. The Support Specialist reviews the audit log to determine actions taken to resolve; ensures the incident assignment is updated; and confirms incident classification, assignment impacted CIs, and associated records. Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 3) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.19 Conduct Detailed Analysis Previous Activities INM-04.18 Review Ticket & Update Assignment Next Activities

Incident Management 60 INM-04.20 Cybersecurity or Privacy-related? Description The Support Services (Tier 3) conducts a detailed analysis of the incident to determine a root cause and further investigates the incident. Upon completion, the Support Services (Tier 3) transfers the incident to other Support Specialist (Tier 3) groups, as necessary, who ensure impacted Configuration Items (CIs) are updated prior to transfer, as necessary and updates the work notes of the incident ticket with the diagnosis progress. Input Incident Record Output Analyzed Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 3) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor Tools and Websites IT Service Management More Info Activities must be completed within the SLA. Refer to Appendix Section 6.3 for Incident SLA timeframes. Functional and hierarchic escalation must be executed prior to breach of SLA. If SLA breach occurs, Incident Manager must notify Leadership.

(Note: Incident Ticket may be flagged at this stage for root cause analysis) Process Activity Name: INM-04.20 Cybersecurity or Privacy-related? Previous Activities INM-04.19 Conduct Detailed Analysis Next Activities If "YES":

Incident Management 61 INM-04.23 Resolve and Close Security Incident Or If "NO": INM-04.21 Attempt Resolution Description The Support Services (Tier 3) determines whether the incident is suspected to be Cybersecurity or Privacy-related (Yes) or not (No) in accordance with Security Playbook(s) (e.g., NIST SP 800-61, VA Handbook 6500, VA NSOC Cyber-Security Response Plan). Responsible Role Support Specialist (Tier 3) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor Process Activity Name: INM-04.21 Attempt Resolution Previous Activities INM-04.20 Cybersecurity or Privacy-related? Next Activities INM-04.22 Verify Incident is Resolved Description The Support Specialist (Tier 3) attempts to resolve the incident (using scripts, knowledgebase content or other resources) and updates the incident ticket with the resolution progress. Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 3) Accountable Role

Incident Management 62 Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.22 Verify Incident is Resolved Previous Activities INM-04.21 Attempt Resolution Next Activities INM-04.05 Incident Resolved? Description The Support Specialist (Tier 3) representative confirms the Incident is revolved through testing & user confirmation. Sufficient testing must be performed to ensure the recovery action is complete and normal state service operation has been restored. The Requestor must be contacted to verify the incident is resolved on her/his end. The Support Specialist (Tier 3) representative updates the incident ticket with resolution details. Input Incident Record Output Resolved Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 3) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor

Incident Management 63 Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.23 Resolve and Close Security Incident Previous Activities INM-04.09 Cybersecurity or Privacy-related? Or INM-04.20 Cybersecurity or Privacy-related? Next Activities INM-04.23.01 Conduct Analysis Description The sub-process, Resolve and Close Security Incident, cycles through the following dependent activities: - Conduct Analysis - Is Incident Privacy Related? - Resolve Privacy Incident - Is this a Major Incident? - Escalate Major Incident Procedure - Develop Mitigation - Develop Containment - Develop Recovery - Serious Incident Resolved? - Close Incident Process Activity Name: INM-04.23.01 Conduct Analysis Previous Activities INM-04.23 Resolve and Close Security Incident Or INM-04.23.09 Serious Incident Resolved? Next Activities INM-04.23.02 Is Incident Privacy Related? Description

Incident Management 64 The Support Specialist (Tier 2) representative in conjunction with the assigned Support Specialist (Tie 3) representative(s) further investigates the suspected cybersecurity-related incident. The Support Specialist (Tier 2) representative updates the work notes of the incident ticket with the diagnosis progress. Input Incident Record Output Analyzed Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.23.02 Is Incident Privacy Related? Previous Activities INM-04.23.01 Conduct Analysis Next Activities If "YES": INM-04.23.03 Resolve Privacy Incident Or If "NO": INM-04.23.04 Is this a Major Incident? Description

Incident Management 65 The Support Specialist (Tier 2) determines whether the incident is privacy-related in accordance with Security Playbook(s), e.g., NIST SP 800-61, VA Handbook 6500, VA NSOC Cyber- Security Response Plan, (Yes) or not (No). Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.23.03 Resolve Privacy Incident Previous Activities INM-04.23.02 Is Incident Privacy Related? Next Activities INM-04.23.04 Is this a Major Incident? Description The Support Specialist (Tier 2), in conjunction with the assigned Support Specialist (Tier 3) representative(s), work to resolve the privacy Incident in accordance with the Security Incident Playbook. Input Incident Record Output Resolved Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor

Incident Management 66 Tools and Websites IT Service Management More Info Refer to Security Playbook(s) (e.g., NIST SP 800-61, VA Handbook 6500, VA NSOC Cyber- Security Response Plan) for guidance on privacy-related incident resolution activities. Process Activity Name: INM-04.23.04 Is this a Major Incident? Previous Activities INM-04.23.02 Is Incident Privacy Related? Or INM-04.23.03 Resolve Privacy Incident Next Activities If "YES": INM-04.23.05 Escalate Major Incident Procedure Or If "NO": INM-04.23.06 Develop Mitigation Description The Support Specialist (Tier 2) representative working with Support Specialist (Tier 3) representative makes a determination if this is a Major Incident (Yes) or not (No).

A Major Incident is one in which 1) the degree of impact on the user community is extreme, or 2) the disruption is excessive and requires a response that is above and beyond that given to normal incidents. It may include any failure to an application, system, or service that will result in financial impact, reputational impact, or a catastrophic loss of business services, if not resolved within a timely manner.

If the cybersecurity-related incident priority previously selected is 1 or 2, the analyst informs the manager that this is a major incident. Refer to Appendix Section 6.2.5 for Cyber-Security Incident prioritization.

Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role

Incident Management 67 First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.23.05 Escalate Major Incident Procedure Previous Activities INM-04.23.04 Is this a Major Incident? Next Activities INM-04.23.06 Develop Mitigation Description The Incident Manager, working with the appropriate Support Specialists, escalates the incident in accordance with the Major Incident Playbook guidelines. Input Incident Record Output Escalated Incident Record Associated Artifacts None Listed Responsible Role Incident Manager Accountable Role Support Specialist (Tier 2) Consulted Role First Contact Support (Tier 1); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info Refer to Security Playbook(s) (e.g., NIST SP 800-61, VA Handbook 6500, VA NSOC Cyber- Security Response Plan) for applicable suspected cybersecurity-related Major Incident Procedure.

Incident Management 68 Process Activity Name: INM-04.23.06 Develop Mitigation Previous Activities INM-04.23.04 Is this a Major Incident? Or INM-04.23.05 Escalate Major Incident Procedure Next Activities INM-04.23.07 Develop Containment Description The Support Specialist (Tier2) representatives, in conjunction with the Support Specialist (Tier 3) representative(s), follow guidelines in the Security Playbook, NIST SP 800-61, VA Handbook 6500, and VA NSOC Cyber-Security Response Plan to develop applicable mitigation actions. Input Incident Request Output Incident Request Mitigation Actions Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.23.07 Develop Containment Previous Activities INM-04.23.06 Develop Mitigation Next Activities

Incident Management 69 INM-04.23.08 Develop Recovery Description The Support Specialist (Tier2) representative, in conjunction with the Support Specialist (Tier 3) representative(s), follow guidelines in the Security Playbook, NIST SP 800-61, VA Handbook 6500, and VA NSOC Cyber-Security Response Plan to develop applicable containment activities. Input Incident Record Output Incident Record Containment Activities Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.23.08 Develop Recovery Previous Activities INM-04.23.07 Develop Containment Next Activities INM-04.23.09 Serious Incident Resolved? Description The Support Specialist (Tier2) representatives, in conjunction with the Support Specialist (Tier 3) representative(s), follow guidelines in the Security Playbook, NIST SP 800-61, VA Handbook 6500, and VA NSOC Cyber-Security Response Plan to develop applicable recovery activities. Input

Incident Management 70 Incident Record Output Incident Record Recovery Activities Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.23.09 Serious Incident Resolved? Previous Activities INM-04.23.08 Develop Recovery Next Activities If "YES": INM-04.23.10 Close Incident Or If "NO": INM-04.23.01 Conduct Analysis Description Based on applicable cybersecurity-related incident resolution acceptance criteria, the Support Specialist (Tier 2) determines if the incident has been resolved (Yes) or not (No). Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager

Incident Management 71 Consulted Role Support Specialist (Tier 3) Informed Role Requestor Process Activity Name: INM-04.23.10 Close Incident Previous Activities INM-04.23.09 Serious Incident Resolved? Next Activities Process Ends Description The Support Specialist (Tier 2) representative, in conjunction with the Support Specialist (Tier 3) representative(s), close out the incident in accordance in accordance with Security Playbook, NIST SP 800-61 VA Handbook 6500, and VA NSOC Cyber-Security Response Plan. Input Incident Record Output Closed Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.24 Attempt Resolution Previous Activities

Incident Management 72 INM-04.22 Verify Incident is Resolved Next Activities INM-04.25 Verify Incident is Resolved Description The Support Specialist (Tier 2) attempts to resolve the incident using scripts, knowledgebase content or other resources. Update the incident ticket with the resolution progress. Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-04.25 Verify Incident is Resolved Previous Activities INM-04.24 Attempt Resolution Next Activities INM-04.05 Incident Resolved? Description The Support Specialist (Tier 2) representative confirms the Incident is revolved through testing & user confirmation. Sufficient testing must be performed to ensure that the recovery action is complete and that normal state service operation has been restored. End-user must be contacted

Incident Management 73 to verify that the incident is resolved on her/his end. Update the incident ticket with resolution details. Input Incident Record Output Resolved Incident Record Associated Artifacts None Listed Responsible Role Support Specialist (Tier 2) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-05 Close Incident Previous Activities INM-04.05 Incident Resolved? Next Activities INM-05.01 Flag for Root Cause Analysis as Needed Description The sub-process, Close Incident, cycles through the following dependent activities: - Flag for Root Cause Analysis as Needed - Problem Management - Flag for Knowledge Article as Needed - Knowledge Management - Close Incident

Incident Management 74 Process Activity Name: INM-05.01 Flag for Root Cause Analysis as Needed Previous Activities INM-05 Close Incident Next Activities INM-05.02 Problem Management And INM-05.03 Flag for Knowledge Article as Needed Description The First Contact Support (Tier 1) flags the Incident for Root Cause Analysis. If the incident had no identified root cause and if it was important enough (priority 1 & 2), it should be flagged to Problem Management.

Input Incident Record Output Updated Incident Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-05.02 Problem Management Previous Activities

Incident Management 75 INM-05.01 Flag for Root Cause Analysis as Needed Next Activities If "Go to Problem Management": Problem Management Process Or If "Stay in Incident Management": INM-05.03 Flag for Knowledge Article as Needed Description The First Contact Support (Tier 1) submits a request to update the Problem Management process if the incident has no identified root cause and if it is important enough (priority 1 & 2). Input Incident Record Output Problem Management Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-05.03 Flag for Knowledge Article as Needed Previous Activities INM-05.01 Flag for Root Cause Analysis as Needed Next Activities

Incident Management 76 INM-05.04 Knowledge Management And INM-05.05 Close Incident Description The First Contact Support (Tier 1) representative flags the incident for Knowledge Management, if for any reason, a knowledge article seems valuable for future incidents. Input Incident Record Output Knowledge Management Record Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-05.04 Knowledge Management Previous Activities INM-05.03 Flag for Knowledge Article as Needed Next Activities If "Go to Knowledge Management": Knowledge Management Process Or If "Stay in Incident Management": INM-05.05 Close Incident

Incident Management 77 Description The First Contact Support (Tier 1) representative opens a Knowledge Management Request, if for any reason, the incident seems valuable to reference for future incidents. Input Incident Record Output Knowledge Management Request Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed Process Activity Name: INM-05.05 Close Incident Previous Activities INM-05.03 Flag for Knowledge Article as Needed Next Activities Process Ends Description The First Contact Support (Tier 1) representative formally closes the Incident Record by closing the incident and all related tickets, and updating the status from “resolved” to “closed. Input Incident Ticket Output Closed Incident Ticket

Incident Management 78 Associated Artifacts None Listed Responsible Role First Contact Support (Tier 1) Accountable Role Incident Manager Consulted Role Support Specialist (Tier 2); Support Specialist (Tier 3) Informed Role Requestor Tools and Websites IT Service Management More Info None Listed

END OF PROCESS

Incident Management 79