- Team Leader – Drives and coordinates all incident response team activity, and keeps the team focused on minimizing damage, and recovering quickly.
- Lead Investigator – Collects and analyzes all evidence, determines root cause, directs the other security analysts, and implements rapid system and service recovery.
- Communications Lead -Leads the effort on messaging and communications for all audiences, inside and outside of the company.
- Documentation and Timeline Leader – Documents all team activities, especially investigation, discovery and recovery tasks, and develops reliable timeline for each stage of the incident.
- HR/Legal Representation – Since an incident may or may not develop into criminal charges, it’s essential to have legal and HR guidance and participation.
Since every company will have differently sized and skilled staff, we referenced the core functions vs. the potential titles of incident response team members. So you might find that a single person could fulfill two functions, or you might want to dedicate more than one person to a single function, depending on your team makeup. That said, here are a few other key considerations to keep in mind:
- IT leads with strong executive support & inter-departmental participation.
When it comes to cyber security incident response, IT should be leading the incident response effort, with executive representation from each major business unit, especially when it comes to Legal and HR. While the active members of the incident response team will likely not be senior executives, plan on asking executives to participate in major recruitment and communications efforts.
- Clearly define, document, & communicate the roles & responsibilities for each team member.
While we’ve provided general functions like documentation, communication, and investigation, you’ll want to get more specific when outlining your incident response team member roles. Make sure that you document these roles and clearly communicate them, so that your incident response team is well coordinated and knows what is expected of them – before a crisis happens.
- Establish, confirm, & publish communication channels & meeting schedules.
Effective communication is the secret to success for any project, and it’s especially true for incident response. Print out team member contact information and distribute it widely (don’t just rely on soft copies of phone directories. Chances are, you may not have access to them during an incident). Include important external contacts as well, and make sure to discuss and document when, how, and who to contact at outside entities, such as law enforcement, the media, or other incident response organizations like an ISAC (Information Sharing and Analysis Center).