2 - Email exchange is down for sometime and there is no email service : major incident ? or security incident ? or problem ?
I would like to know when to raise them ? Even though it is mentioned : NC is non-fulfillment of a requirement and security incident an unwanted event which Happened and lead to a compromise of business
Answer: The main criteria you can use to identify what you can rise is the type of impact on business caused by the situation. And you also should note that these options do not exclude each other, so for a same situation you can rise a security incident, a non conformance, a major incident and a problem. Let's take a look at your examples:
In example 1 we have a policy not being followed, so you can raise a non conformity. To know if the situation is also a security incident, we have to know if this caused any impact on the business, e.g., sharing of passwords caused an important file to lose its integrity when users attempted to update it at the same time from different locations. If no impact was perceived, you raise only the non conformity.
In example 2, you definitely have a security incident, but you have to identify which is the impact to classify it as a major incident. How many people were affected by the service downtime? Which business processes were affected? For example, the downtime happening during a Saturday night may have less impact than other happening at 3 pm on a Thursday. Regarding the identification as a problem, you only can use this classification when you do not know the cause of the downtime, because this situation will lead you to an additional effort to also discover the root cause of the situation, so you can try to eliminate it.