The 10 Step Process for Building an Incident Response Team

We are all used to doing regular fire drills at the office or at school, and we accept the benefits of having defined roles and responsibilities should an emergency occur. It allows for a more organized response to a difficult situation. This kind of planning limits the damage that can be caused and it keeps everyone safe.  Well, the same is true with a cybersecurity Incident Response Team at work. Taking the time to plan for a worst-case scenario can limit damages and in the process preserve a company’s reputation.  

An incident response team is defined by Wikipedia as:

“..a group of people who prepare for and respond to any emergency incident, such as a natural disaster or interruption of business operations. ….This team is generally composed of specific members designated before an incident occurs, …”  In our case we are looking at an Incident Response Team for an organization that might include “computer incidents such as theft or accidental exposure of sensitive data, exposure of intellectual property or trade secrets...”

[Read more: 3 Vendor Risk Management Challenges and how to solve them]

At Ostendio we help a large number of companies who implement and maintain an Incident Response Team (IRT) as part of their overall security posture.  From working with those companies we have devised our own playbook for assembling a high-functioning Incident Response team:

1. Start with an executive or board-level support.

   The IT team normally drives the need for an IRT and if they have a champion on the executive board who understands the importance of being ready to deal with security breaches this can expedite the process of getting an IRT set up.  A high-level champion is also critical because you will be bringing together team members from the whole organization to work on a company-wide plan, so many departments will need to be on board.
   
   

2. Pull in external experts for help.

   If you don’t have the expertise in-house look for an experienced outside company that has the knowledge and experience to help with your broader security program as well as establish your IRT.  This can save you time and money when preparing your team.
   
   

3. Assemble the team with representatives from across the organization.

   Make sure you have included all departments on the team. Finance, PR, HR, marketing, legal, etc. will all have a role to play. It’s important to include PR as managing the public reaction to a breach can be a key part of the crisis response. 
   
   

4. Name a leader and define clear roles and responsibilities for team members.

   Appoint a team leader so the team knows who is in charge when there is a serious incident. Document each team member’s responsibilities. Plans should be in place to respond to as many foreseeable events as possible. Contingency plans should be prepared, communications strategies written and authority granted to those who will need it ahead of time. All this preparation work will ensure a smoother reaction should an emergency occur.
   
   

5. Allow for logistical considerations.

   Think about the locations of team members and how time zones could affect working together. Ideally, if your company is big enough, there should be at least two people from each department on the team. You should also make sure you have multiple contact points for each team member - home phone, cell phone, etc. in case you need to reach them outside of office hours.  Consider having a designated bridge number in case of a breach so that all members know how to connect quickly. Make sure there is an alternate way to connect in case of network connection issues - eg. text messaging rather than phone conversations.
   
   
   

6. Create a register of critical assets.

   Define and document what assets are critical to your company. Remember that an asset isn't just hardware. It can also be a person, a vendor, or any other artifact that is critical to the functioning of the business. Use a management tool that helps you handle the register of critical assets so that they are up to date at all times. Critical assets include PII and other sensitive data (about customers and employees) which may require formal notifications in certain situations.  Understand breach notification requirements for commercial contracts and/or to regulatory authorities.
   
   

7. Plan and conduct drills.

   There’s a reason we do fire drills and practice runs. Learn from the drills and improve the way the Incident Response Team handles different emergencies. For example, if there is a network security breach what teams would be involved, and how would the issue be communicated, tracked, and managed.  What would a successful outcome look like for your company? By conducting a drill your organization will have the experience to better handle the real thing should a breach occur.
   
   

8. Foster a culture of openness and security awareness.

   People on your Incident Response Team and in your company should be encouraged to speak up if they see something significant.  Building a culture of openness and security awareness can help mitigate incidents in the first place. Make sure regular security awareness training is part of your employee training.
   
   

9. Invest in technology to help you bulletproof your incident response team.

   Look for a tool that will help you assign roles on the team, document steps taken to respond to an incident, and allocate responsibilities to team members. It should have regular reminders to make sure that the plan is kept up to date. The best solutions (like Ostendio MyVCM) ensure that all incidents are tracked and managed centrally in the platform so you can see any patterns and commonalities in the incidents that occur. Make sure that everyone on the team has the training to use the tool effectively.
   
   

10. Publish and Maintain a Contingency Plan

    The plan needs to be available for the IRT to see, use and make comments/suggestions.  There should be a way that comments or suggestions can be assigned within the plan to a team member.  After each incident, the IRT should gather and reassess the plan to see if improvements can be made. If there are no incidents, the IRT should review the plan at least once a year to address changes in the environment, industry, or team members. Importantly, make sure the plan is accessible from two unique locations to ensure you are not left blind if the host location is unavailable as a result of the incident.