Having an internal Incident Response Team in your organization is important so that you can be prepared and know how to deal in case of incidents and security breaches. The IR team is in charge of all measures for preventing and responding to incidents and attacks.
Read on to find out how to build an incident response team that will allow your organization to have an effective action plan in case of an incident.
Include these several core positions in your incident response team
The incident response manager is the one that supervises and prioritizes all measures for the recognition, evaluation, and containment of the incident. They are in charge of communication and conveying the specifications of highly dangerous incidents to the rest of the organization.
The manager is assisted by a team of security analysts that operate on the affected network to investigate all the details of the incident – such as the exact time and location. A triage analyst would separate false positives and be careful of possible intrusions, while a forensic analyst would retrieve crucial artifacts and preserve the integrity of the evidence to secure the investigation.
These security analysts are further supported by threat researchers who provide the context of the incident and identify intelligence that might have been covered externally. By incorporating external information with existing company records of previous incidents, they can create and support an internal database of intelligence.
Secure cross-functional support
The IR team shouldn’t be the only one in charge of addressing security breaches. The whole organization and all employees have to completely recognize and fully acknowledge the incident response plan to ensure that procedures run effortlessly in case of emergency. Each part of the company should have distinctive duties during an incident.
Management is responsible for providing the necessary assets, finances, staff, and resources for the planning and execution of incident response organization and implementation.
Audit and Risk Management Specialists provide assistance in the development of threat measures and vulnerability analysis and encourage their best execution across the organization.
An attorney makes sure that all collected evidence preserves its forensic value in case the company takes legal action. They can also advise on liability issues in case the incident has affected customers or the general public.
Finally, the PR department will communicate with company team leaders and ensure that the correct amount of information is passed on to shareholders and the press.
Internal communication is essential
During an incident, communication within the organization and across teams is crucial. It should be managed in a way that secures the confidentiality of the information. The incident response manager must be the main point of communication and important details, tactics and procedures must be shared only with those who have a valid reason to know. It’s very important to avoid any indication that there’s an ongoing investigation to prevent tipping off the attackers.