Summary

Organizing and running an incident response team is an ongoing effort that requires continuous attention. It is not sufficient to pay consultants to come in, design a team, deliver a document, and walk away. The formation and design are only the first steps.

The acceptance of the team depends on its perceived capabilities, its ability to coordinate with other organizations, and the expertise and professionalism it displays when working with actual incidents. The team will not be successful until the other stakeholders in the company view it as an important ally in the protection and preservation of their data.

To gain that acceptance, the team must demonstrate that it is not a threat to other (perhaps rival) organizations but that it can provide them with support when needed and can assist them in their operations as well. Second, users must know about the team and must be willing to call on it when required.

The incident response coordination capability derives its authority from the company policies that establish it. This is not, in itself, sufficient. The team might be established by senior management and might report directly to the CIO. When established, however, the team must then begin the process of coordinating with other constituents. It must begin an ongoing training program to ensure technical expertise. It must establish, from the beginning, the highest standards of excellence when dealing with actual incidents. Anything less will doom the team to failure.