An on-site incident response team is called to investigate an alleged case of computer tampering within their company. The CEO classifies the incident as low level. How long will the team have to respond?

The main idea is that incident response times are set by how severe the incident is. When an incident is classified as low level, the organization expects a slower, but still timely, response because the impact is considered minimal. In this scenario, that means the on-site incident response team is given up to one working day to begin handling the case, perform initial triage, preserve evidence, and plan the next steps. Immediate action is reserved for critical or high-severity incidents, while four hours would be too aggressive for a low-severity case, and two working days would unnecessarily delay even routine investigation activities. So one working day is the appropriate window for a low-level classification.