Definition of Severity Levels
Severity Definitions are intended to provide guidance on correct assignment of severity levels in the event of an incident.
- Sev 1 The product, service or channel is unavailable or unusable with NO planned and agreed sustainable workaround
The problem may be directly impacting either:
· External customers’ ability to interact with the customer
· Customers’s ability to service its customers
· The Business unit’s production workflow
The product, service or channel must be classified as business critical (eg it needs to be available within 24 hours of a disaster)
- Sev 2 The product, service or channel is available however functions are restricted or degraded
Significant exposure may exist. Business can continue to operate at a reduced capacity while the problem exists.
- Sev 3 The product, service or channel is available with no immediate impact to external or internal customers
Acceptable workaround is in place. The business can continue to operate at full or close to full capacity while the problem exists.
1. CIO Override – a vulnerability that poses a serious threat to the Customer, is wormable (i.e. Sasser
Virus) and code is in the wild and available to hackers. 247 to put this on the environment.
2. Critical – a vulnerability that poses a serious threat to , is typically wormable (i.e. Sasser Virus),
however code is not in wild as yet. Normal business hours to deploy this on the environment.
3. Important – vulnerability that poses a threat to is typically vulnerability that needs to be initiated
within and is local to the workstation. Normal business hours to deploy this on the environment.
4. Moderate – a minor vulnerability may pose a threat to . Usually patched to keep the platform
current. This type of patch will only be deployed if is deploying other hot fixes, otherwise it is deployed in the next Enterprise release.