so gonna kind of transition to the people within the Incident Response team. And within that policy, you want to have that incident response manager
and that incident response manager. He's going to be that single employee who may have one arm or designated alternates, but he should be in charge of the overall incident response. So in your fully outsource model, this person is going to oversee and evaluate that outsourcing work, which were just talking about
all other models generally have a team manager in and one of your deputies we're going to assume authority in the absence of that of that manager managing director.
So managers typically perform a variety of tasks, leading acting as a liaison, upper management and other teams and organizations. They defuse crisis situations, and the insured team has the necessary personnel resources and skills. So it's likely the manager may not even start responding to incidents. But he's going to be that
kind of directs resource is and your personnel in order to respond to that incident
So manager should be technically adapted and have excellent communication skills, particularly an ability to communicate to a range of audiences. So you have to consider who that manager's going to be talking to. You may be talking to someone who is very technically proficient. He may need to know those details,
but he may have to translate that to
Maybe a C may not have the technical knowledge that manager,
but managers are ultimately responsible for ensuring the incident response activities are performance problems.
So the next role we would have been the policy is going to be your incident response, lead and members of your incident response team.
So in addition to the team manager, the deputy, some teams also have a technical lead or a person who have strong technical skills and incident response experience, who's going to assume oversight and the final responsibility for the final quality of teams technical work.
So the position of the technical lead should not be confused with position of the incident lead. Larger teams often assign an incident. Lead is the primary POC for handling certain incidents or specific incident on the incident. Lead is held accountable for the incidents handle,
so depending on the size of the incident Response Team and the magnitude
of the incident, the incident lead may not actually perform the actual incident handling rather coordinate the handlers activities, gather information from the handlers and provide incident response updates to the group and ensure that the team's needs are met.
Members of the Incident Response team should have excellent technical skills. Such a system administration network administration
programming, technical support, our intrusion detection
every team member should have good problems about solving skills and critical thinking abilities. So it's pretty common on some of these incident response team configurations to maybe have a rotational basis of who's going to be the technical lead or the incident response lead for that day. That weaker that one.
And what that does is that's going to help
kind of the ability for the team. Have
Crossover said that individuals who know how to perform certain functions and tasks if somebody happens to be out of work or they happen to change jobs, get sick. It helps that team function better that way. Everyone knows exactly what's going on. What's expected?
uh, moving on. We have incident response interdependencies.
So management is going to be one of the first interdependencies that your team is going to have.
So management is going to establish the policy budget and the staffing for the teams. And ultimately management is going to be held responsible for coordinating incident response among the various stakeholders minimizing damage. Report to Congress O M B
the G A O if you happen to be a government agency,
or maybe they're gonna have to report to shareholders, are this the c e o c i o. It's all going to depend on how your organization works, but ultimately you're management is going to be responsible for reporting to those higher level entities.
So another end of interdependency that you're going to have this information assurance
so information security staff members made it to be involved in certain stages of the incident handling process. So prevention contained the eradication of recovery, for example, T all for network security controls, firewalls and rules set. So it made
extend over into your eye staff. If you don't have one of those
individuals on your incident response team to begin with,
I t support is going to be another interdependency. So I take technical experts. For example, system and network administrators not only have three needed skills to assess, but also usually have the best understanding of the technology they manage on a daily basis.
So this understanding can ensure that the appropriate actions are taken
for the affected systems, such whether to disconnect an attack system.
The next interdependency that you might have is going to be the legal department.
So legal experts should review incident response plans, policies and procedures to ensure their compliance with law. Federal guidance, the right to privacy. Maybe here
your policy within your department. Regardless, lawyers are gonna have to be involved to make sure everyone eyes legally covered and protected.
In addition, the guidance of your general counts of legal department
should be sought out. There's a reason to believe that an incident may have legal ramifications, including evidence collection, prosecution of the suspect or a lawsuit, or if there may be a need for some type of memorandum of understanding our other binding agreements involving liability of limitations for information sharing.
So generally, if you've got some type of legal question or legal requirement, I'm gonna have to involve lawyers, which will get into a little bit later in our legal discussion
interdependencies, continued public affairs and media relations, we kind of already handed on. That said, depending on the nature and the impact of an incident, need may arise to inform the media on by extension, the public. So again, if you had that target data breach the Sony hack,
you may end up adding to inform on you
customers about that incident. So getting those public affairs and media relations people involved is very important.
Human resource is is another interdependency that incident Response Team's may have to coordinate with.
So if an employee is suspected of causing an incident, three human resource Department may have to get involved for centrally assisting with disciplinary proceedings. Were fighting inflict
Also your Business Continuity Planning Department? They may also have to be involved, so organizations should ensure that incident response policies and procedures and business continuity planning processes are in sync.
So if your servers attack, maybe you're BCP team is going to have to get involved on order. The transition Teoh a different server, so computer security incidents undermined the business resilience of organization
businesses continue our continuity. Planning professionals should be made aware of incidents and their impact, so they confined to the business impact assessments, risk assessments and Continental operations plans
so further because businesses continuity planners have extensive experience in minimizing operational disruption during severe circumstances.
They may have that valuable information that could help the team remediate those incidents and get back to normal operating procedures. And an example of that could be a denial of service.
Uh, the next interdependency that you might experience is physical physical security facilities manager.
So some incidents occur through breaches of physical security and not necessarily technical security, are they? They involve coordinated, logical and physical attacks. So the Incident Response team may also need access to facilities during their response,
and we'll also need to secure an area, store, the recovered
data and on artifacts.