Priority categories.

Emergency.

An emergency is an incident which admits no delay. All emergencies will be processed in parallel and all available resources will be allocated to them.

Examples: life threatening activities, national safety, attacks against Internet infrastructure. So far, other less serious incidents have been considered emergencies on considerations of scope or quick difussion. They will be labeled as high priority from now on.

High Priority.

A high priority incident is one which requires faster attention than others, despite having been detected after them. For this purpose and independent high prioirity queue is maintained. Incidents on it are serially processed, and resources will be allocated to them in preference to lower priority incidents.

Examples: privileged account compromise, denial of service, and those mentioned under the 'emergency' headings, after 'So far...'.

Normal Priority.

The default priority. The normal priority queue is serially processed, unless all resources are taken by higher priority incidents. A normal priority incident will become high priority if unattended for too long.

Examples: any incident involving a successful attack, when not eligible for a higher priority category. Also repeated network probes.

Low Priority.

The low priority queue is serially processed, unless all resources are taken by higher priority incidents. A low priority incident will be automatically closed if unattended for too long.

Examples: isolated unsuccessful probes, where the attacker isn't likely to achieve his/her purpose.