This includes not only the requirements needed to establish an enterprise incident response capability but also the necessary IT/cyber hygiene to ensure that enterprise and business unit information systems are properly defended.

The incident response program should not be siloed off from the rest of IT and information security planning. Considering this as the information responses capability is being planned any necessary technical updates that are discovered and are required to ensure that an information system is defensible should be captured and appropriately mitigated as part of the organization's risk management program.