Dispatcher SOP — IT Helpdesk + Security Call Triage

Dispatcher goal: classify severity, route/escalate, and document clearly in the first 1–3 minutes. Use this for helpdesk issues and security reports (phishing, malware, suspected compromise, lost devices).

Critical (P1) High (P2) Medium (P3) Low (P4)

1) The 60–120 Second Call Script (Dispatcher)

Greeting + control the call0–10s
“Thanks for calling the IT Helpdesk. I’m going to ask a few quick questions to get you the right help fast.”

Identify caller + callback10–25s
“What’s your name, company/site, username, and the best callback number?”

Describe the issue in plain terms25–60s
“What is not working right now?” + “Since when?” + “How many users are affected?” + “Is work stopped?”

Security quick check (ask if ANY suspicion)60–90s
1) “Did you click a link, open an attachment, or enter credentials?”
2) “Are you getting repeated MFA prompts you didn’t initiate?”
3) “Do you see new inbox rules/forwarding, strange sent emails, or unknown sign-ins?”
4) “Any ransomware note, encryption message, or AV/EDR alert?”
If “yes/unknown” to compromise indicators → treat as P1/P2 and escalate.

Set severity + next step (always promise an update time)
“I’m classifying this as [P1/P2/P3/P4]. Next, I’m going to [action]. You’ll get an update by [time].”

Dispatcher mindset

Your job is to triage, route, escalate, and document (not solve everything).
If it feels like a security incident, escalate first, refine details second.
If multiple sites call with the same symptom, assume broader outage until proven otherwise.

2) Severity Definitions (IT + Security) & Required Actions

CRITICAL (P1) Target response: 0–15 min

Suspected breach / active compromise: ransomware, critical EDR alert, unknown admin accounts, mailbox takeover signs
MFA push spam / impossible travel / user reports “I didn’t do that login”
Data exposure: lost/stolen device with sensitive data, public file share exposure, credentials leaked
Org-wide outage: SSO/Entra/Okta down, email down, VPN down for most users, core internet/site down, phone system down
Core infrastructure failure: DNS/DHCP/Domain Controller issues affecting authentication broadly

Action: Open P1 ticket + start incident timeline. Notify Security On-Call + Helpdesk/NOC On-Call. Preserve evidence (screenshots, headers, alert text). Set update cadence (every 30–60 min).

HIGH (P2) Target response: ≤ 1 hour

Major degradation affecting many users (not total outage)
Confirmed phishing campaign impacting multiple users (even if no compromise confirmed yet)
VIP/Executive cannot work (email/SSO/laptop lockout)
Malware suspected on one device but contained/isolated (not spreading)

Action: Create P2 ticket, notify team lead + security queue if applicable. Update caller at least hourly.

MEDIUM (P3) Target response: same business day

Single user / small group impacted, workaround exists
Single phishing email report with no click / no creds entered (still route to security)
Device lost but encrypted + remote lock/wipe available (route to security; severity per policy)

Action: Ticket with clear repro steps + correct assignment. Set “next update” expectation (end of day).

LOW (P4) Target response: 1–3 business days

How-to, minor changes, routine access requests (non-urgent)
Cosmetic issues, non-blocking questions, scheduling

Action: Ticket + schedule follow-up. Provide self-service instructions where available.

3) Triage Flowchart (IT + Security)

flowchart TD
  A([Incoming Call]) --> B[Collect info: name, site, username, callback, email]
  B --> C[Describe problem: what, since when, errors, impact]
  C --> D{Any security indicator?}

  D -- Yes --> S1[Security questions: click/creds, MFA spam, unknown sign-in, EDR alert]
  S1 --> D2{Compromise or data exposure likely?}
  D2 -- Yes --> P1[CRITICAL P1: notify Security on-call + IT on-call; start incident log]
  D2 -- No --> P2S[HIGH P2: route to Security queue; notify lead; hourly updates]

  D -- No --> E{Org-wide outage or work stopped?}
  E -- Yes --> P1
  E -- No --> F{Many users affected or VIP impact?}
  F -- Yes --> P2I[HIGH P2: escalate to IT queue; notify lead; hourly updates]
  F -- No --> G{Small impact with workaround?}
  G -- Yes --> P3[MEDIUM P3: ticket + assign; update by end of day]
  G -- No --> H{How-to or minor non-blocking?}
  H -- Yes --> P4[LOW P4: ticket + schedule; respond in 1-3 business days]
  H -- No --> P3

  P1 --> Z[Document: impact, timeline, evidence, notifications, next update time]
  P2S --> Z
  P2I --> Z
  P3 --> Z
  P4 --> Z

Click the flowchart for full-screen. Wheel = zoom. Drag = pan. Esc closes

If the flowchart doesn’t render, the Mermaid CDN may be blocked on that network.

4) Security “Do / Don’t” + Escalation Rules

Escalate immediately (P1) if:

Any hint of compromise: ransomware note, “someone has my account”, suspicious admin activity, critical EDR alert
MFA push spam or user reports unauthorized sign-in
Multiple users/sites reporting the same symptom (possible widespread incident)
Core auth/email/network outage impacting operations

DO (security calls)

Preserve evidence: screenshots, email headers, sender address, subject, time received
Capture device name/asset tag, username, location of device, time first noticed
Advise: “Don’t click further; don’t enter credentials; stop interacting with the suspicious message.”

DON’T (security calls)

Don’t ask them to “try the link again” or “test the attachment”
Don’t have them keep entering passwords if compromise is suspected
Don’t promise it’s “not serious” — route to security and let them confirm

Suggested update cadence

P1: every 30–60 minutes (or per incident commander)
P2: at least hourly
P3: by end of day
P4: within 1–3 business days

5) Call Log (Copy/Paste into Ticket)

Caller Name

Company / Site

Username / User ID

Callback Number

Best Email

Device Name / Asset Tag

Severity

Start Time / “Since When?”

Issue Summary (1–2 sentences)

Impact

Symptoms / Error Messages

Security Quick Answers

Phishing Email Details (if applicable)

What Changed Recently?

Actions Taken / Workaround

Escalation / Notifications

Next Update Promise

Ticket title template: [SEV] [Client/Site] Short issue — impact
Example: [CRITICAL] Acme HQ MFA Spam — user reports unauthorized sign-ins

Pro tip: If it’s security-related, add SECURITY to the title.