Triage Diagram Zoom & Pan

Dispatcher SOP — IT Helpdesk + Security Call Triage

Dispatcher goal: classify severity, route/escalate, and document clearly in the first 1–3 minutes. Use this for helpdesk issues and security reports (phishing, malware, suspected compromise, lost devices).
Low (P4) Medium (P3) High (P2) Critical (P1)

1) The 60–120 Second Call Script (Dispatcher)

Greeting + control the call0–10s
“Thanks for calling the IT Helpdesk. I’m going to ask a few quick questions to get you the right help fast.”
Identify caller + callback10–25s
“What’s your name, company/site, username, and the best callback number?”
Describe the issue in plain terms25–60s
“What is not working right now?” + “Since when?” + “How many users are affected?” + “Is work stopped?”
Security quick check (ask if ANY suspicion)60–90s
1) “Did you click a link, open an attachment, or enter credentials?”
2) “Are you getting repeated MFA prompts you didn’t initiate?”
3) “Do you see new inbox rules/forwarding, strange sent emails, or unknown sign-ins?”
4) “Any ransomware note, encryption message, or AV/EDR alert?”
If “yes/unknown” to compromise indicators → treat as P1/P2 and escalate.
Set severity + next step (always promise an update time)
“I’m classifying this as [P1/P2/P3/P4]. Next, I’m going to [action]. You’ll get an update by [time].”
Dispatcher mindset
  • Your job is to triage, route, escalate, and document (not solve everything).
  • If it feels like a security incident, escalate first, refine details second.
  • If multiple sites call with the same symptom, assume broader outage until proven otherwise.

2) Severity Definitions (Full Width) — P4 → P1

LOW (P4) Target response: 1–3 business days
  • How-to, minor changes, routine access requests (non-urgent)
  • Cosmetic issues, non-blocking questions, scheduling
Action: Ticket + schedule follow-up. Provide self-service instructions where available.
MEDIUM (P3) Target response: next 1–2 days
  • Single user / small group impacted, workaround exists
  • Single phishing email report with no click / no creds entered (still route to security)
  • Device lost but encrypted + remote lock/wipe available (route to security; severity per policy)
Action: Ticket with clear repro steps + correct assignment. Set “next update” expectation (within 1–2 days).
HIGH (P2) Target response: within 24 hours
  • Major degradation affecting many users (not total outage)
  • Confirmed phishing campaign impacting multiple users (even if no compromise confirmed yet)
  • VIP/Executive cannot work (email/SSO/laptop lockout)
  • Malware suspected on one device but contained/isolated (not spreading)
Action: Create P2 ticket, notify team lead + security queue if applicable. Update caller at least daily (or sooner as needed).
CRITICAL (P1) Target response: same day
  • Suspected breach / active compromise: ransomware, critical EDR alert, unknown admin accounts, mailbox takeover signs
  • MFA push spam / impossible travel / user reports “I didn’t do that login”
  • Data exposure: lost/stolen device with sensitive data, public file share exposure, credentials leaked
  • Org-wide outage: SSO/Entra/Okta down, email down, VPN down for most users, core internet/site down, phone system down
  • Core infrastructure failure: DNS/DHCP/Domain Controller issues affecting authentication broadly
Action: Open P1 ticket + start incident timeline. Notify Security On-Call + Helpdesk/NOC On-Call. Preserve evidence (screenshots, headers, alert text). Set update cadence (same-day updates per incident lead).
Tip: Left-to-right is P4P1. On smaller screens, it wraps but keeps order.

3) Security “Do / Don’t” + Escalation Rules

Escalate immediately (P1) if:
  • Any hint of compromise: ransomware note, “someone has my account”, suspicious admin activity, critical EDR alert
  • MFA push spam or user reports unauthorized sign-in
  • Multiple users/sites reporting the same symptom (possible widespread incident)
  • Core auth/email/network outage impacting operations
DO (security calls)
  • Preserve evidence: screenshots, email headers, sender address, subject, time received
  • Capture device name/asset tag, username, location of device, time first noticed
  • Advise: “Don’t click further; don’t enter credentials; stop interacting with the suspicious message.”
DON’T (security calls)
  • Don’t ask them to “try the link again” or “test the attachment”
  • Don’t have them keep entering passwords if compromise is suspected
  • Don’t promise it’s “not serious” — route to security and let them confirm
Suggested update cadence
  • P1: same-day updates per incident lead
  • P2: at least daily (or sooner if material changes)
  • P3: within 1–2 days
  • P4: within 1–3 business days
Flowchart: use the floating Triage Diagram pill on the left to open the zoomable diagram anytime.

4) Call Log (Copy/Paste into Ticket)

Tip: Always set a next update time for P1/P2 calls.
Ticket title template: [SEV] [Client/Site] Short issue — impact
Example: [CRITICAL] Acme HQ MFA Spam — user reports unauthorized sign-ins