Project 11: Create and Train an Incident Response Team

Not all incidents can be prevented. In the event that your organization has a security incident you'll need to detect what occurred, minimize the loss, mitigate the vulnerability that was exploited, and restore operations.

These actions require a specially trained Computer Incident Response Team (CIRT).

For your CIRT to be effective they'll need to possess Incident Response Policies and Procedures. A typical Policy includes:

• The organization's definition of an incident

• When the policy is to be used

• Roles and responsibilities of all parties involved

• Levels of authority

• A severity rating system for incidents

• Types of data that need to be collected

• Reporting chain of command

The CIRT also needs to consist of the appropriate personnel. In addition to a Director and Deputy Director the team should also consist of multiple technical personnel. All lines of business also need to be included:

• Management

• Telecommunications

• IT Support

• Legal Department

• Physical Security

• Human Resources

• Public Affairs

Every line of business will not be used for every incident. However, a representative from each line of business needs to be a trained member of the CIRT.