|
The incident response team is the heart and soul of the incident response system and must have a clearly defined scope of responsibilities. The members of the business as a whole must know that they have an incident response system in place and a team that supports it. An incident response team is composed of a cross section of various business groups, made up of professionals who come to the rescue when an emergency arises. This team, by default, will have authority to make command decisions based on the best interests of the business. A successful team will include technical personnel, management personnel, and legal and communication experts. The team will have various ownership roles within the confines of the incident response system. When you compile your team, you will need to look at the following roles and assign people to fill them:
Management
Technical lead
Legal support
Communications
Interface to the security committee
Security officer
The incident response team must be ready to respond to an incident the moment it occurs. In order to facilitate this, you must create a high-level decision matrix. The following categories make up that decision matrix:
Owner: makes the decisions and owns the process
Helpers: team members who help out on a process
Advisors: team members who advise on a process
Implementers: person or persons doing the work
Updaters: part of the team that is updated with the status and actions from other team members
Table 10.1 shows some examples.
Activities/Roles | Technical Lead | Technical | Legal | Communications | Management |
---|---|---|---|---|---|
Initial Response | Owner | Implements | Updated | Updated | Updated |
Implements temporary fix | Implementer | Owner | Updated | Updated | Advises |
Sends communications | Advisor | Advises | Advises | Implements | Owner |
Check with local law enforcement on incident (or FBI) | Updater | Updated | Owner | Updated | Implements |
Implements permanent fix | Implementer | Owner | Updated | Updated | Updated |
Financial impact to business | Updater | Updated | Advises | Updated | Owner |
The team compiled by the business must meet the requirements of the business being protected. The most important step is to include all the departments affected by the incident in the loop. There may be some steps each department will need to perform in response to the event by which they have been affected. The team membership will also need to be reevaluated periodically as needs change or as new components are added to the Internet system. Team membership should always be an ongoing process.
|