Explore Digital resilience incident reporting
The Digital resilience incident reporting module in the Operational Resilience Workspace is used to log and report incidents data to the regulators.
Key features of Digital resilience incident reporting
- Creates reporting cases automatically from major incidents reported in the Incident Management and Security Incident Response applications.
- Initiates a structured assessment process, including Regulatory reporting assessment to determine if the incident is reportable.
- Tracks the status of reports and assessments, ensuring timely submission and compliance with regulatory timelines.
- Uses automated reporting workflow to generate reports within regulatory reporting timelines:
- Regulatory reporting assessment of IT incidents
- Initial Report (within 24 hours)
- Intermediate Report (every three days until resolved)
- Final Report
- Allows users to export incident reports for further analysis in the format specified by regulatory authorities.
Integration with Incident Management or Security Incident Response
The Digital resilience incident reporting module is available in the Operational Resilience Workspace by default. If you are using the Incident Management or Security Incident Response applications, you can report critical incidents from these Workspaces into the Digital resilience incident reporting module.
Auto-populating the responses in the Assessment Workspace
For the reported DIR case task, an assessment action task is created and assigned to a DIR user. Smart assessment in the Assessment Workspace is used for auto-populating the responses to the assessment. The Assessment Workspace is available to the Digital resilience incident reporting users by default.
Incident classification
When an incident is detected, it is determined whether critical business services are affected. The following approach is followed to classify the incident.
Digital resilience incident reporting workflow
To classify major incidents, the Digital resilience incident reporting (sn_dri_inc_rptg) automatically initiates reporting cases.
- Incident Management
- The incident is classified as critical in the Service Operations Workspace.
- Incident duration: The incident has been open for more than 24 hours and it is still in the Work in progress or Analysis stage.
- The incident involves a critical business service where the business criticality value is 1.
- Security Incident Response:
- The incident is classified as critical in the SIR workspace.
- Incident duration: The incident has been open for more than 24 hours and it is still in the Work in progress or Analysis stage.
- Manual: The incident has been reported manually in the Digital resilience incident reporting module.
States of the case task
- Draft: Any DIR user can create a DIR case task and assign it to the DIR managers group. A notification is sent to the managers group to assign it to one of the managers. DIR case task can also be created automatically from the IM incidents or SIR incidents if they meet the criteria defined in the creation flow (Integration with IM or SIR)
- In progress:
- An action task is created for the DIR case task and assigned to a DIR user.
The Regulatory reporting status field (sn_grc_inc_rptg_case_task.breach, shown on the Details panel of the case form) is updated based on the response.
- The
DIR case task is classified as Potentially reportable, Not reportable, or Reportable based on the assessment response. This classification is stored in the Regulatory reporting status field (sn_grc_inc_rptg_case_task.breach)
on the Digital Resilience Incident Reporting case form and on each Regulation Mapping record in the Regulation Mappings related list. If a case is initially marked as Potentially reportable, further updates on the source
incident can lead to additional assessments. Note:The "Regulatory reporting status" field is now shown on the Details panel of the case form (or in the Regulation Mappings related list) and not in a separate "Reporting status" section in the Workspace view of the case.
- If the DIR case task is identified as Reportable, a new action task is created for the initial report assessment with a due date of 24 hrs and is assigned to any DIR user by the DIR manager handling the case.
- After the initial report action task is completed and submitted, a new action task for the intermediate report is created with a due date as three days.
- Intermediate report assessments are generated every three days until the source incident is closed (Incident Management or Security Incident Response).Note:It is not mandatory to close every intermediate report assessment that was generated during the lifecycle of the incident. The Final report action task is created automatically when the source incident is closed, independent of the open intermediate assessments. Any intermediate assessments that remain open after the source incident is closed are no longer required - the periodic generation stops as soon as the termination conditions configured on the DRI Intermediate report template are met (typically when the source incident state is 'Closed' or the DRI case state is 'Closed'/'Canceled').
- A final report action task is created with a due date of 30 days from the closing date of the source incident.
- An action task is created for the DIR case task and assigned to a DIR user.
- Pending approval and Approved: Once the reports are completed, the DIR case task is approved and closed.
Data displayed in Digital resilience incident reporting
- All incident reporting cases
- My incident reporting cases
- Unassigned incident reporting cases
My tasks
- My pending tasks
- My items
- Watchlist
Roles, Scripts, and Tables used for reporting
For information on the roles, scripts, and tables used in Roles installed with Digital resilience incident reporting, see Digital resilience incident reporting reference.