Incident Response Team Members

The IRT members typically represent a cross-functional team. These team members are from several departments and bring together multiple disciplines. Being part of this designated team allows members to coordinate their efforts. They can also train together on how to respond to an incident. The team can offer a centralized, full-time service depending on the size of the organization and volume of incidents.

The IRT is composed of a core team supplemented with specialties, when needed. These specialties are brought in based on the type of incident. Usually, full-time IRT departments exist to support very large organizations and the government.

Most organizations activate the IRT when a major incident occurs. In this case, the management of the process comes out of the information security team. Members outside the security team have normal job responsibilities. In the event of an incident, the team is pulled together to deal with the immediate threat. Once the threat is stopped, the team’s mission shifts to incident analysis. This analysis determines the cause of the incident and formulates recommendations. Once the final report on the incident is issued, the team is disbanded.

The IRT usually includes members of the information security team along with representatives from other functional areas. Common IRT members include:

• Information technology subject matter experts (SMEs)—The information technology subject matter experts have intimate knowledge of the systems and configurations. These individuals are typically developers and system and network administrators. They have the technical skills to make critical recommendations on how to stop an attack. The SMEs chosen for each incident response effort will vary depending upon the type of incident and affected system(s).
• Information security representative—The information security representative provides risk management and analytical skills. He or she may also have specialized forensic skills needed to collect and analyze evidence.
• Human resources (HR) representative—The human resources representative provides skills on how to deal with employees. Breaches do not always come from outside attackers. When internal employees are involved, the HR representative can advise the team on proper methods of communicating and dealing with the employees. They are experts on HR policies and disciplinary proceedings or employee counseling.
• Legal representative—The legal representative understands laws and regulatory compliance. This person can be a valuable advisor in ensuring compliance. His or her work will involve reviewing the incident response plans, policies, and procedures. During an incident, the legal representative can help facilitate communication with law enforcement. This person can examine the ramifications of decisions. The representative can also provide expert guidance on legal issues, such as the notification of employees or customers affected by a breach.
  Legal representatives can also advise IRT members on how to conduct themselves to preserve attorney–client privilege. When investigations are conducted by a legal representative as part of his or her duties to an organization, the communication is considered confidential and not subject to certain disclosure.
• Public relations (PR) representative—The public relations representative can advise on how to communicate with the public and customers who might be impacted by the incident. This is valuable to ensure that accurate information gets out and damaging misconceptions are prevented.
• Business continuity representative—The business continuity representative understands the organization’s capability to restore the system, application, network, or data. This individual also has access to call lists needed to contact anyone in the organization during off hours.
• Data owner—The data owner understands the data and the business. As data owner, he or she understands how the data should be handled. The data owner understands the control environment. Because data owners are business leaders, they also understand the data’s impact to the business.
• Management—Management plays a key decision-making role. Management approves the response policy, charter, budget, and staffing. Management also makes the decision to turn to law enforcement and outside agencies. Ultimately, management is held accountable for the outcome of the incident response effort.

NOTE

Many organizations choose to route all communication with law enforcement agencies through their legal counsel. If an incident involving criminal conduct is mishandled, the organization can conceivably be liable. It’s important that all action be documented. This will help the company be seen as acting in good faith.

“Emergency services” is a broad category related to any outside agency. These agencies might include police, fire, and state and federal law enforcement. They bring government authority. They can also be useful in tracking down the identity of the attacker, in the case of a cyberbreach.

As can be seen from this list, the IRT has a vast array of skills available. You can add members as needed to deal with an incident. The team’s effectiveness will be determined by how quickly a coordinated and focused effort can be deployed. When the incident is a cyberattack, it is usually good to involve the appropriate authorities as soon as possible. Both the Federal Bureau of Investigation (FBI) and the U.S. Secret Service investigate cybercrimes. The sooner you involve them, the better.