The broad touch that security incidents can have requires complete enterprise support when an incident is raised and an action must be taken. The simplest of external attacks will have a minimum of three teams involved to investigate and take action: security, network, and systems, as the attack would traverse the network, security tools, and eventually reach the target system. In order for the attack in this example to receive the proper attention, there has to be a predefined agreement on the expected response time for the incident type and which team members need to be involved from each team. The fact is that incidents are inconvenient and do not occur based on the ability of the team to respond. The unexpected nature of incidents will require whatever is actively being worked on to be halted and immediate response action to be taken for the incident. The mandate of importance to be given to security incidents will need senior management directive.
Once the directive has been communicated, a series of meetings should be held to communicate the need for the capability and what is required from each team. Valuable perspective can be gained from IT teams and business units that can increase the adoption rate of incident response and establish key individuals for the success of the incident response implementation. The meeting, or series of meetings, can help with the development of the incident response process and establish the precedent of the process development and support, with regards to existing projects and day-to-day work that each team is responsible for supporting and producing, respectively.
Understanding the critical components of each team will drive the decision tree logic for developing a response priority and the overall criticality to the enterprise. Estimated asset allocation can be calculated based on previously observed incidents and will aide management in deciding what resources to commit and when the resources can and should be engaged for incident response. Providing the identified teams an influence in the building of the incident response process ensures the most effective and responsive team possible.