Identification phase
An incident moves to the identification phase once the suspected contributing factor(s) has been identified, but not yet resolved. When composing this message, prioritize any message elements that have not yet been communicated in previous updates. For example, if the incident start time was in the last update, it is of lower priority than any new yet to be presented information in this update. If you must trim the length of your update due to technical limitations, choose message elements based on priority.
Elements to include in an update during the Identification phase are:
- The contributing factor(s) identified
- The proposed remediation that will be taken
- Time the decision to take this remediation occured
- Expected duration for the remediation, if known
- Customer impact observed (whatever is known right now)
- How to identify the issue (e.g., symptoms), if known
- Confirmation of business service(s) affected
- Current incident severity
- Time the incident started
- Description of the issue detected
- Where to find more information
- When to expect another update
An example of a status update during the Identification phase is:
“At 8:09PM PDT we identified an unauthorized opening of the Rift. That means the Containment Field is effectively down. Approximately 2% of customers have reported seeing Demogorgons in their waking dreams. We are currently warming up the interdimensional laser machine to attempt closing the portal. Expect another update within 30 minutes.”
As we know, it takes an unreasonably long period of time to warm up interdimensional laser machines for whatever reason. The next update in 30 minutes might look like this:
“At 8:11PM PDT we initiated a warm-up sequence for the interdimensional laser machine in order to seal an unauthorized opening of the Rift. The warm-up sequence is currently ongoing. If your customers report seeing Demogorgons in their waking dreams, direct them to their nearest small psychokinetic child for immediate protection. Until the Rift is sealed, there is effectively no Containment Field. This is a SEV-1 incident and you should seek help from the nearest shady government agents. Expect another update within 30 minutes.”