Chapter 5. Organizing for Incident Response

Chapter 4,"Forming and Managing an Incident Response Team," discussed establishing an incident response team. Unfortunately, this is often as far as some organizations go. All too often, a company will go through a major project to design, establish, and train an incident response team. After this is accomplished, the company forgets about it. Team members go back to other jobs, the team never meets or communicates, and when an incident occurs, the team is unprepared to react .

Forming a team is only the first step in the process. Regardless of whether the team is composed of full-time or part-time members, they must continue to coordinate and communicate. The team should be the primary point of contact within a company, not only for incident response per se but also for the formulation of policies associated with it.

The team also requires periodic training. The field of incident response changes rapidly as new technology is introduced. Many skills are perishable and require constant practice (or at least refamiliarization). When virtual teams are used, the members might be intimately familiar with their normal operations but might have forgotten that operations during an incident are anything but normal.