If you really want to be prepared for a cyber incident, you need to establish a response team (CIRT) ahead of time. Your team should be made up of everyone you can think of that can help detect, diagnose and isolate a incident. Your team members should be identified beforehand, but as each event is unique, your team may change depending on the type of incident. Your cyber-response team is different than your broader incident management team, though they do work together.
Members of your team should include:
A team lead to keep a focus on minimizing damage and recovering systems quickly, while also protecting the team from interference so they can do their jobs. The team lead is on point until the situation is resolved and operations are back to normal.
Investigators, or your detectives. This is a technical team made up of specialized and talented internal individuals (and possibly external individuals). Your lead investigator, or technical resource, will direct the rest of the team in performing and processing feedback other resources.
A forensics expert – If you’re fortunate, you’ll have the skills on your team to diagnose and isolate the incident. If not, you’ll want to be sure you have an IT person that is sophisticated enough know when to call a forensic team in.
A communications person who is aware of any regulations and customer requirements for information sharing. This person will document the minute-by-minute actions of your team and manage the flow of information going towards the team. Careful documentation is critical as it may be used for legal discussions, media presentations and to keep executives informed.
Customer-facingindividuals that communicate with internal and external stakeholders. This usually includes your helpdesk, customer support and account management people. It’s important they provide only the information they have been instructed to provide, and only when instructed to.