Typically, organizations require a charter before an IRT can be formed. A charter is an organizational document that outlines the mission, goals, and authority of a team or committee. It’s important that legal review the IRT charter for any language that might create a liability. Always assume an outside party may eventually view the charter.

The first step in writing a charter is to determine the type of IRT model to adopt. This part of the charter determines the authority, approach, and deliverable of the IRT. There are several types of IRT models:

• IRT provides on-site response—The IRT has full authority to contain the breach.
• IRT acts in a support role—The IRT provides technical assistance to local teams on how to contain the breach.
• IRT acts in a coordination role—The IRT coordinates among several local teams on how to contain the breach.

Many IRTs provide on-site response. In this case, the IRT is given complete authority to contain the threat. This typically means an IRT member is on-site with hands on the keyboard providing technical response. This IRT model requires its members to have full authority to direct local resources. The IRT members make key decisions in consultation with upper management. The IRT members may be required to have a specific local expert execute a task; however, the expert executes the task under the direction of the IRT member.

When the IRT is in a support role, its members become a resource for the local team. The local team has the responsibility to respond to an incident leveraging the IRT’s skills. This model is useful in limited circumstances where the local site team has appropriate skills to respond to an incident. This model may also be viable when the application or system is specialized. For example, in a situation in which a system is used in a narrowly defined profession such as engineering software, the local team would be better equipped to deal with the incident.

When the central IRT is in a coordination role, it becomes a facilitator among parties involved in the incident response. This model is useful when the response covers multiple geographical regions. In this case, you might have to coordinate with IRTs in each location. In this model, the central IRT functions as the lead to facilitate the immediate response. The central IRT also coordinates the root cause analysis.

Once you determine the type of IRT model you’ll use, you need to construct the actual charter. This includes setting specific goals. The goals must be simple and realistic. Overly ambitious goals create both a credibility and an execution problem. It’s important during an incident that the team focuses on specific achievable goals. These goals can include response times to incidents and level of cost containment. These goals will be used to create policies and processes and influence the selection of tools. For example, if the charter requires an on-site response in 30 minutes or less, the goal will drive a certain staffing level.

The structure of the charter document itself is simple and concise. A typical charter includes the following sections:

• Executive summary—Provides background on incident response and the importance it has to the organization. This section defines why the IRT exists and the types of incidents it handles.
• Mission statement—Defines the overall goals of the IRT. It also describes what the IRT is responsible for achieving. The mission statement is used to gauge the effectiveness of the IRT.
• Incident declaration—Defines an incident. It also describes how an incident is declared. This section becomes the basis for creating a process to activate the IRT team.
• Organizational structure—Documents how the IRT is aligned within the organization. It also indicates how the members are managed during an incident.
• Role and responsibilities—Describes the purpose and types of activities for each IRT member. This is important in the selection of the right team members. It’s essential to remember that you need to fill these roles with capable individuals.
• Information flow—Defines how information will be disseminated. It establishes the central team responsible for collecting, analyzing, and communicating incident information to the upper levels of management. This ensures the IRT is accountable for being the central point of contact.
• Methods—Defines the way the goals will be achieved. This may include a list of services the IRT team will provide.
• Authority and reporting—Describes what authority the team has. This section defines the source of the IRT’s authority. For example, the authority can be assigned by upper management in response to specific regulatory requirements.

A charter would not contain a detailed line budget. Funding should be included in the department budget as an annual expense. This avoids having to rewrite the charter every time there are changes in the budget.