WEBVTT 0:00:03.720000 --> 0:00:06.260000 Hello everyone and welcome. 0:00:06.260000 --> 0:00:10.960000 In this video we're going to be taking a look at escalation and communication 0:00:10.960000 --> 0:00:16.880000 protocols in a SOC or security operations in general. 0:00:16.880000 --> 0:00:20.760000 So when we are talking about event triage and investigation, I sort of 0:00:20.760000 --> 0:00:26.180000 mentioned escalation both theoretically but also in the demonstration 0:00:26.180000 --> 0:00:28.940000 or the example that I sort of outlined. 0:00:28.940000 --> 0:00:33.300000 In this video we're going to be understanding what escalation is, how 0:00:33.300000 --> 0:00:39.820000 it works, or how you essentially decide as a SOC analyst, you know, when 0:00:39.820000 --> 0:00:44.140000 to actually escalate to let's say a tier two or three analyst. 0:00:44.140000 --> 0:00:49.580000 So I also included communication protocols because I think it's very, 0:00:49.580000 --> 0:00:54.540000 very important that you understand that they sort of go hand in hand. 0:00:54.540000 --> 0:00:56.200000 So let's get started. 0:00:56.200000 --> 0:01:01.320000 So insecurity operations, escalation and communication protocols are critical 0:01:01.320000 --> 0:01:07.120000 for ensuring that security incidents are handled efficiently, effectively, 0:01:07.120000 --> 0:01:09.880000 and more importantly, transparently. 0:01:09.880000 --> 0:01:13.980000 These protocols define how and when incidents are escalated within the 0:01:13.980000 --> 0:01:17.180000 organization and who needs to be informed at each stage. 0:01:17.180000 --> 0:01:22.080000 So this is arguably one of the more important videos in this course because 0:01:22.080000 --> 0:01:31.800000 knowing when, how, and to whom to communicate information to or escalate, 0:01:31.800000 --> 0:01:37.180000 you know, events or instance to is very, very important. 0:01:37.180000 --> 0:01:43.200000 So that brings us to my point, which is, you know, what exactly is the 0:01:43.200000 --> 0:01:47.400000 importance of escalation and communication protocols, either, you know, 0:01:47.400000 --> 0:01:52.300000 insecurity operations in general or within a SOC or even an incident response 0:01:52.300000 --> 0:01:55.620000 team. Well, a, they speed up incident response. 0:01:55.620000 --> 0:02:00.720000 So, you know, they ensure incidents are escalated to the right team or 0:02:00.720000 --> 0:02:03.360000 the right person at the right time. 0:02:03.360000 --> 0:02:07.620000 All right, secondly, they minimize damage or the extent of the damage, 0:02:07.620000 --> 0:02:12.540000 you know, by containing and mitigating the impact of incidents more quickly 0:02:12.540000 --> 0:02:15.340000 see the ensure consistency. 0:02:15.340000 --> 0:02:20.340000 So, you know, they standardize how incidents are managed and how they 0:02:20.340000 --> 0:02:21.500000 are communicated. 0:02:21.500000 --> 0:02:25.160000 And I, you know, also to whom they're communicated. 0:02:25.160000 --> 0:02:29.640000 They also help meet compliance requirements. 0:02:29.640000 --> 0:02:33.280000 So they ensure proper documentation and notification to stakeholders, 0:02:33.280000 --> 0:02:39.240000 regulators and legal entities, and also, you know, maintaining trust. 0:02:39.240000 --> 0:02:44.000000 So they ensure timely and accurate communication to an internal and also 0:02:44.000000 --> 0:02:48.240000 this is very important external stakeholders, if they are any. 0:02:48.240000 --> 0:02:53.200000 So what are escalation protocols or what is the escalation process all 0:02:53.200000 --> 0:02:57.820000 about? So, you know, to be more specific in the context of this course 0:02:57.820000 --> 0:03:01.600000 and learning path, what is escalation and incident response? 0:03:01.600000 --> 0:03:06.080000 Escalation is the process of handing over an incident to the appropriate 0:03:06.080000 --> 0:03:12.240000 team or authority or analyst, let's say, when its complexity, severity 0:03:12.240000 --> 0:03:17.920000 or potential impact exceeds the initial responders capabilities. 0:03:17.920000 --> 0:03:20.900000 And that's why in this course, when I explained or we're going through 0:03:20.900000 --> 0:03:25.540000 the SOC tiers and roles and the responsibilities. 0:03:25.540000 --> 0:03:31.360000 That's why, you know, I made that video, but also to the reason why outline 0:03:31.360000 --> 0:03:36.080000 the responsibilities is to show you the demarcation points with regards 0:03:36.080000 --> 0:03:37.040000 to responsibilities. 0:03:37.040000 --> 0:03:41.840000 What I'm trying to say is, you know, what a tier one analyst is responsible 0:03:41.840000 --> 0:03:46.580000 for. And the, and you know, what a tier two analyst is responsible for. 0:03:46.580000 --> 0:03:49.480000 And the reason that's important is because if you're going to work as 0:03:49.480000 --> 0:03:53.540000 an incident responder, let's say a tier two analyst within a SOC, you 0:03:53.540000 --> 0:03:58.480000 need to understand, you know, when to escalate and more importantly to 0:03:58.480000 --> 0:04:02.800000 whom. So that brings us to the next question that you might have had, 0:04:02.800000 --> 0:04:07.740000 or that you might have, which is when should an incident be escalated. 0:04:07.740000 --> 0:04:13.380000 So firstly, the incident, if the incident exceeds the capability or authority 0:04:13.380000 --> 0:04:18.900000 of the current responder, okay, that's fairly simple, be whether the incident 0:04:18.900000 --> 0:04:23.380000 affects critical infrastructure or sensitive data. 0:04:23.380000 --> 0:04:28.560000 You know, the, whether the incident is spreading rapidly or impacts multiple 0:04:28.560000 --> 0:04:34.500000 systems. So you're now looking at the complexity and scale of the incident. 0:04:34.500000 --> 0:04:38.780000 You know, when external stakeholders or regulatory bodies need to be involved. 0:04:38.780000 --> 0:04:43.980000 So that's, you know, in the context of the tense that I'm speaking in, 0:04:43.980000 --> 0:04:49.540000 would be if external stakeholders or regulatory bodies need to be involved. 0:04:49.540000 --> 0:04:53.640000 And then of course, you have the other one here, which is if the incident 0:04:53.640000 --> 0:04:58.340000 could cause reputational, financial, or legal damage, which again, is 0:04:58.340000 --> 0:05:02.320000 very easy to understand if there is that possibility or an incident poses 0:05:02.320000 --> 0:05:09.120000 this type of risk or danger, let's say reputational or legal, then, you 0:05:09.120000 --> 0:05:13.460000 know, you most likely need to escalate it rather quickly to the legal 0:05:13.460000 --> 0:05:18.060000 team, for example, or someone above you can then make that decision. 0:05:18.060000 --> 0:05:23.720000 So the idea is to understand where you stand, no pun intended, and when 0:05:23.720000 --> 0:05:29.060000 to escalate, which as I said, is really dependent on, I would say generally 0:05:29.060000 --> 0:05:34.040000 speaking, your role within a SOC or an incident response team. 0:05:34.040000 --> 0:05:41.140000 But as I've listed out here, the primary criteria or criteria are complexity, 0:05:41.140000 --> 0:05:43.800000 severity, or potential impact. 0:05:43.800000 --> 0:05:51.740000 And whether those exceed your capabilities, if you, the responder. 0:05:51.740000 --> 0:05:57.660000 So that brings us to this very nice table that I, you know, find very 0:05:57.660000 --> 0:06:02.760000 useful. So it's something that I built myself, and that I've disseminated 0:06:02.760000 --> 0:06:06.720000 with a lot of, you know, the SOC teams that I've worked with, either, 0:06:06.720000 --> 0:06:12.080000 you know, as a red team or even before that, when I was a tier two analyst 0:06:12.080000 --> 0:06:17.280000 or an incident responder, then a threat intelligence analyst. 0:06:17.280000 --> 0:06:22.360000 And what it does is it lists out the escalation levels, the criteria for 0:06:22.360000 --> 0:06:24.220000 escalation and who to notify. 0:06:24.220000 --> 0:06:25.200000 So it's sort of a cheat sheet. 0:06:25.200000 --> 0:06:29.860000 Now, again, do not rely on this, or this is not something that's standardized. 0:06:29.860000 --> 0:06:33.160000 This is just, you know, something that I think is very useful in helping 0:06:33.160000 --> 0:06:35.120000 you understand this escalation. 0:06:35.120000 --> 0:06:40.200000 So I've sort of listed out the escalation levels ranging from level one 0:06:40.200000 --> 0:06:44.440000 to level four, level one being the lowest severity level four being the 0:06:44.440000 --> 0:06:46.440000 highest, which in this case is critical. 0:06:46.440000 --> 0:06:49.160000 So let's start off with level one, low severity. 0:06:49.160000 --> 0:06:51.660000 What's the criteria for escalation? 0:06:51.660000 --> 0:06:53.900000 So the criteria is minor. 0:06:53.900000 --> 0:06:58.300000 So think of routine security events that are easily contained with no 0:06:58.300000 --> 0:07:05.620000 significant impact, who is notified in the event of low severity events. 0:07:05.620000 --> 0:07:10.120000 It's obvious it's going to be the SOC tier one analysts or equivalent. 0:07:10.120000 --> 0:07:13.920000 We then have level two or moderate severity events. 0:07:13.920000 --> 0:07:16.860000 So what's the criteria for escalation here? 0:07:16.860000 --> 0:07:21.060000 In this case, it's events requiring more in depth analysis or multiple 0:07:21.060000 --> 0:07:22.960000 system involvement. 0:07:22.960000 --> 0:07:28.000000 So in that case, who do you notify SOC tier two or tier three analysts? 0:07:28.000000 --> 0:07:30.920000 You then have level three, which is high severity events. 0:07:30.920000 --> 0:07:34.180000 So the criteria for escalation is that, you know, these are confirmed 0:07:34.180000 --> 0:07:38.220000 security incidents affecting critical systems or data. 0:07:38.220000 --> 0:07:42.780000 In this case, who to notify or who do you notify, it's going to be, you 0:07:42.780000 --> 0:07:48.080000 know, you escalate to the incident response team, IR or IRT, the C-set 0:07:48.080000 --> 0:07:50.740000 and management if a C-set exists. 0:07:50.740000 --> 0:07:57.080000 But I've just added it in there to cater for all, you know, for all types 0:07:57.080000 --> 0:07:58.920000 of companies or organizations. 0:07:58.920000 --> 0:08:01.560000 And then you have level four, which is critical severity. 0:08:01.560000 --> 0:08:05.500000 So these are the criteria for escalation here, a large scale incidence 0:08:05.500000 --> 0:08:10.360000 involving significant data loss, system outages or potential regulatory 0:08:10.360000 --> 0:08:15.620000 impact. And in this case, who do you notify? 0:08:15.620000 --> 0:08:21.760000 You notify executive leadership, legal teams, PR and regulators, if needed 0:08:21.760000 --> 0:08:27.360000 or if required. So as said, this sort of makes it much more easier or 0:08:27.360000 --> 0:08:32.160000 much easier to understand in terms of, you know, when to escalate or what 0:08:32.160000 --> 0:08:34.420000 the criteria for escalation is. 0:08:34.420000 --> 0:08:37.540000 And hopefully you find this useful as I did. 0:08:37.540000 --> 0:08:41.720000 So that brings us to communication protocols, which you may have confused 0:08:41.720000 --> 0:08:47.380000 you because you're sort of expecting me to only touch on escalation protocols 0:08:47.380000 --> 0:08:49.100000 or the escalation process. 0:08:49.100000 --> 0:08:54.300000 But when you think about it, and this is very important, escalation is 0:08:54.300000 --> 0:08:58.300000 the process of communicating something, right? 0:08:58.300000 --> 0:09:06.180000 Now, the escalation process entails or includes decision making, you know, 0:09:06.180000 --> 0:09:08.580000 and criteria for escalation. 0:09:08.580000 --> 0:09:12.980000 But let's say you've decided that you need to escalate, well, you need 0:09:12.980000 --> 0:09:16.820000 to communicate that to the person you're escalating to. 0:09:16.820000 --> 0:09:20.600000 And that begs the question, or that brings up a very important point. 0:09:20.600000 --> 0:09:27.520000 And that is, how do you communicate this, or how do you escalate a particular 0:09:27.520000 --> 0:09:33.160000 event or incident to the, you know, the person responsible or the person 0:09:33.160000 --> 0:09:34.780000 you're supposed to notify? 0:09:34.780000 --> 0:09:38.280000 Well, you obviously need to communicate it to them. 0:09:38.280000 --> 0:09:43.500000 So with that being said, what that means is that communication becomes 0:09:43.500000 --> 0:09:48.420000 very, very, very important, because if there's a breakdown in communication, 0:09:48.420000 --> 0:09:53.920000 whether you're talking about platforms, but really protocols, or let's 0:09:53.920000 --> 0:09:58.260000 say the communication between a tier one and two analyst is very poor, 0:09:58.260000 --> 0:10:03.600000 either, you know, because of technological reasons or whatever, you know, 0:10:03.600000 --> 0:10:07.220000 doesn't matter whether it's been escalated correctly, there's going to 0:10:07.220000 --> 0:10:08.280000 be an issue here. 0:10:08.280000 --> 0:10:14.060000 So communication protocols define who needs to be informed, what information 0:10:14.060000 --> 0:10:15.880000 is shared? That's very important. 0:10:15.880000 --> 0:10:21.820000 So when you're escalating, how much info should you share, how less or 0:10:21.820000 --> 0:10:28.120000 how detailed does the info need to be, what information needs to be included, 0:10:28.120000 --> 0:10:32.660000 right? And more importantly, how the communication is conducted throughout 0:10:32.660000 --> 0:10:35.040000 the incident lifecycle. 0:10:35.040000 --> 0:10:39.900000 So that brings us to the key elements of communication protocols, which 0:10:39.900000 --> 0:10:45.880000 are a, the communication channels, b, roles and responsibilities, c, the 0:10:45.880000 --> 0:10:51.340000 consistency of communication or the messages, d, confidentiality and compliance, 0:10:51.340000 --> 0:10:55.500000 and e, the frequency of updates, this is extremely important. 0:10:55.500000 --> 0:10:57.420000 I cannot stress this enough. 0:10:57.420000 --> 0:11:01.480000 So starting off with communication channels, so you define approved channels 0:11:01.480000 --> 0:11:04.260000 for internal and external communication. 0:11:04.260000 --> 0:11:09.000000 My example is email, secure chat, phone calls, incident management systems. 0:11:09.000000 --> 0:11:18.860000 The bottom line is that you sock analysts will use to communicate incidents 0:11:18.860000 --> 0:11:20.960000 or to escalate incidents. 0:11:20.960000 --> 0:11:24.540000 And you can't have more than one, you can be on WhatsApp. 0:11:24.540000 --> 0:11:28.920000 I've seen that before, which is I'm saying it, email and then instant 0:11:28.920000 --> 0:11:32.900000 messages and slack and define a standardized process. 0:11:32.900000 --> 0:11:38.080000 So you don't confuse anyone, you know, anyone or everyone knows that this 0:11:38.080000 --> 0:11:43.500000 is where I'm going to expect potentially escalated events to come from. 0:11:43.500000 --> 0:11:48.320000 So if I'm a tier two analyst, and let's say the communication channel 0:11:48.320000 --> 0:11:52.440000 that's been defined as email, then I know always to look for escalations 0:11:52.440000 --> 0:11:53.900000 in my email inbox. 0:11:53.900000 --> 0:11:56.640000 And of course, today you have slack and all of this stuff. 0:11:56.640000 --> 0:11:59.640000 And you should never just rely on one, there should always be a backup 0:11:59.640000 --> 0:12:04.320000 system, but it's very important that is defined and understood that if 0:12:04.320000 --> 0:12:08.400000 email is down or whatever, then we'll utilize slack. 0:12:08.400000 --> 0:12:11.020000 And that's understood by everyone. 0:12:11.020000 --> 0:12:13.300000 Which brings us to roles and responsibilities. 0:12:13.300000 --> 0:12:17.360000 So you identify who is responsible for communicating with internal teams, 0:12:17.360000 --> 0:12:20.300000 executive stakeholders and regulatory bodies. 0:12:20.300000 --> 0:12:25.060000 Again, this is something that may seem basic or, you know, tacitly understood 0:12:25.060000 --> 0:12:27.120000 by everyone within a sock team. 0:12:27.120000 --> 0:12:30.520000 But if it's not defined, then it can be quite haphazard. 0:12:30.520000 --> 0:12:35.160000 And they could be hesitancy in the event something happens as, you know, 0:12:35.160000 --> 0:12:39.060000 who is going to communicate it, why someone should communicate it. 0:12:39.060000 --> 0:12:40.820000 Instead, it should be standardized. 0:12:40.820000 --> 0:12:45.480000 If you're responsible, you communicate it, there's no if buts and, you 0:12:45.480000 --> 0:12:49.800000 know, whatever. Thirdly, message consistency. 0:12:49.800000 --> 0:12:54.580000 So you ensure consistent, accurate and timely communication to avoid misinformation. 0:12:54.580000 --> 0:13:00.020000 So again, very, very important self explanatory, you define, you know, 0:13:00.020000 --> 0:13:03.800000 processes, standards templates, even for communicating information. 0:13:03.800000 --> 0:13:08.500000 And, you know, you're trying to ensure this consistency. 0:13:08.500000 --> 0:13:11.180000 You then have confidentiality and compliance. 0:13:11.180000 --> 0:13:15.480000 So here you ensure sensitive information, which a lot of the information 0:13:15.480000 --> 0:13:19.440000 included in escalation is sensitive. 0:13:19.440000 --> 0:13:23.260000 You ensure that this sensitive information is only shared with authorized 0:13:23.260000 --> 0:13:25.220000 personal and with no one else. 0:13:25.220000 --> 0:13:27.700000 So it's, you know, for your eyes only. 0:13:27.700000 --> 0:13:30.720000 Apologies for that little trope there. 0:13:30.720000 --> 0:13:35.820000 But that's what, you know, that's what confidentiality and compliance 0:13:35.820000 --> 0:13:38.560000 referring to. You then have the frequency of updates. 0:13:38.560000 --> 0:13:42.700000 This is very important, especially during when we're talking about the 0:13:42.700000 --> 0:13:48.940000 instant life cycle, the instant response, life cycle, frequency of updates, 0:13:48.940000 --> 0:13:51.600000 as you would have expected is very important. 0:13:51.600000 --> 0:13:55.520000 So this is where you define how frequently updates should be provided. 0:13:55.520000 --> 0:14:00.460000 So for example, every hour for critical instance, every eight hours for 0:14:00.460000 --> 0:14:07.060000 let's say low to medium severity or level one level two, stuff like that, 0:14:07.060000 --> 0:14:10.920000 the bottom line is that these things need to be defined. 0:14:10.920000 --> 0:14:14.840000 And of course, in the case of communication channels, I'm not just saying 0:14:14.840000 --> 0:14:17.560000 you pick one and then you define it and you're good. 0:14:17.560000 --> 0:14:21.240000 It's also important that you communicate with the SOC team. 0:14:21.240000 --> 0:14:25.820000 And of course, I'm speaking as someone who is building a SOC or, you know, 0:14:25.820000 --> 0:14:31.220000 defining this. But generally speaking, the tools should be fairly simple 0:14:31.220000 --> 0:14:35.000000 to use. They should not be too difficult or cumbersome. 0:14:35.000000 --> 0:14:40.580000 And, you know, generally speaking, you know, everything should be defined 0:14:40.580000 --> 0:14:45.700000 and understood by everyone that's part of the team. 0:14:45.700000 --> 0:14:50.400000 So I've come up with another example, under one of those diagram flow 0:14:50.400000 --> 0:14:57.360000 chart timeline examples that outlines escalation and communication in 0:14:57.360000 --> 0:14:58.640000 the form of a workflow. 0:14:58.640000 --> 0:15:03.740000 So again, we have an environment here where we have the SOC, we have a 0:15:03.740000 --> 0:15:08.540000 SEAM, we have a target system, the file server, and then a tier one analyst. 0:15:08.540000 --> 0:15:13.020000 So starting off from step one, we can see and I'll move into the full 0:15:13.020000 --> 0:15:19.920000 screen that an alert is detected by the SEAM and handed over for triage. 0:15:19.920000 --> 0:15:24.260000 So step two, the SOC tier one analyst checks if the alert is a false positive 0:15:24.260000 --> 0:15:25.960000 or requires escalation. 0:15:25.960000 --> 0:15:30.060000 So this is the triage process that we already went through in the previous 0:15:30.060000 --> 0:15:35.400000 video. And then we have the escalation process, which we didn't cover 0:15:35.400000 --> 0:15:36.920000 in the previous video. 0:15:36.920000 --> 0:15:41.360000 So the instant is categorized into one of the four escalation levels. 0:15:41.360000 --> 0:15:46.760000 So escalating now so low level one handled by tier one. 0:15:46.760000 --> 0:15:51.400000 So if it is a level one event, then it's handed by the tier one analyst 0:15:51.400000 --> 0:15:53.120000 is moderate level two. 0:15:53.120000 --> 0:15:56.700000 This is escalated to tier two or three analysts for deeper investigation 0:15:56.700000 --> 0:16:01.600000 and containment high level three escalated to the IR team and CSET for 0:16:01.600000 --> 0:16:05.880000 major containment and documentation with its critical level four executive 0:16:05.880000 --> 0:16:10.240000 teams, legal PR regulators are notified and public statements are prepared 0:16:10.240000 --> 0:16:14.540000 if necessary. The bottom line is that you can see where step three was 0:16:14.540000 --> 0:16:19.300000 severity assessment as part of the escalation process. 0:16:19.300000 --> 0:16:24.400000 But the bottom line is that we have already understood what the escalation 0:16:24.400000 --> 0:16:30.160000 process is. It's very important that after triage, depending on what has 0:16:30.160000 --> 0:16:36.880000 been discovered, or the severity assessment that it is escalated to the 0:16:36.880000 --> 0:16:39.780000 correct person in a timely fashion. 0:16:39.780000 --> 0:16:44.260000 So that brings us to this final table here, the final slide where I've 0:16:44.260000 --> 0:16:47.860000 sort of outlined the escalation and communication responsibilities. 0:16:47.860000 --> 0:16:51.860000 So we have the different roles and I've added more, pretty much all that 0:16:51.860000 --> 0:16:52.780000 I could think of. 0:16:52.780000 --> 0:17:01.660000 So ranging from SOC tier one, tier two and three executive leadership 0:17:01.660000 --> 0:17:04.540000 legal and compliance team PR and communication team. 0:17:04.540000 --> 0:17:07.980000 So there's two columns, the escalation responsibility. 0:17:07.980000 --> 0:17:12.400000 So who is responsible for escalation and the communication responsibility. 0:17:12.400000 --> 0:17:16.300000 So in the case of the SOC tier one analyst, they escalate low level incidents 0:17:16.300000 --> 0:17:18.260000 to tier two or three. 0:17:18.260000 --> 0:17:22.580000 The communication responsibility is to communicate internally within the 0:17:22.580000 --> 0:17:27.720000 SOC team. For SOC tier two and three analysts, they escalate moderate 0:17:27.720000 --> 0:17:30.740000 to high severity incidents to the IR team. 0:17:30.740000 --> 0:17:34.620000 And the communication responsibilities to provide updates to the IR team 0:17:34.620000 --> 0:17:39.000000 and the C set or the C set, I should say, in the case of the dedicated 0:17:39.000000 --> 0:17:43.560000 incident response team, the escalation responsibility is to escalate high 0:17:43.560000 --> 0:17:46.660000 and critical incidents to the C set and management. 0:17:46.660000 --> 0:17:50.320000 And the responsibility involves communicating with internal leadership 0:17:50.320000 --> 0:17:51.960000 and technical teams. 0:17:51.960000 --> 0:17:56.380000 In terms of the C set, the escalation responsibility involves managing 0:17:56.380000 --> 0:17:59.700000 escalation of critical events to external bodies. 0:17:59.700000 --> 0:18:03.280000 And the communication responsibility involves communicating with executive 0:18:03.280000 --> 0:18:06.740000 leadership, legal and compliance teams. 0:18:06.740000 --> 0:18:11.240000 In the case of the executive leadership team, the escalation responsibility 0:18:11.240000 --> 0:18:16.920000 involves escalating incidents that could impact business operations. 0:18:16.920000 --> 0:18:19.820000 Who do they communicate this to? 0:18:19.820000 --> 0:18:23.940000 They communicate this with shareholders, media and external stakeholders. 0:18:23.940000 --> 0:18:26.540000 Then we have the legal and compliance team. 0:18:26.540000 --> 0:18:30.640000 So the escalation responsibility here is to ensure regulatory requirements 0:18:30.640000 --> 0:18:36.900000 are met. Who do they communicate with or to? 0:18:36.900000 --> 0:18:40.680000 They handle communications with regulatory bodies. 0:18:40.680000 --> 0:18:44.480000 The PR and communication team, escalation responsibility in this case 0:18:44.480000 --> 0:18:47.980000 is to manage public facing communication. 0:18:47.980000 --> 0:18:52.880000 And of course, obviously, the communication responsibility involves preparing 0:18:52.880000 --> 0:18:56.020000 statements for public disclosure, if necessary. 0:18:56.020000 --> 0:19:01.540000 So this final table gives you an idea as to what the escalation responsibility 0:19:01.540000 --> 0:19:08.460000 per role or per team and the communication responsibility or who the information. 0:19:08.460000 --> 0:19:13.440000 So what the escalation responsibilities are and what the communication 0:19:13.440000 --> 0:19:16.180000 responsibilities are. 0:19:16.180000 --> 0:19:22.180000 And more importantly, in the case of the outlines who the information 0:19:22.180000 --> 0:19:26.360000 is being communicated to, which is very, very important. 0:19:26.360000 --> 0:19:30.420000 In any case, with that being said, that's going to be it for this video. 0:19:30.420000 --> 0:19:32.820000 And I will be seeing you in the next video.