An incident can have many business implications and is notjust a technical issue. For this reason, the incident response committee has tobe made up of individuals from different departments to give as manyperspectives as possible. The following stakeholders, who represent thecross-section of an organization, can be included as the personnel in theincident response committee:Management: The management is the most important stakeholderas it is responsible for supporting all the incident response processesfinancially, through the budget process. In addition, it is also in charge ofconveying the significance of security to each level of the organization;therefore, the management’s endorsement of the incident response plan bringslegitimacy to the IR procedure. It is also responsible for signing off thedocumentation that details the authority of the IR team during the incident.They have to pre-approve shutting down of vital systems and services if neededto limit the spread and effect of the incident. Subject matter experts: They are the technical personnel whoare experts in different departments such as database administrators, networkadministrators, developers, system administrators, etc.
They have the necessarytechnical expertise to assist with the IR plan and can provide appropriateactions to be taken as a response.Human resources: The HR department assists with handling theemployees in the incident related to the employee actions. For instance, if anemployee violates the organization’s policy by sharing confidential informationwith or without malicious intent, plugging in a flash drive when it is againstthe policy, or repeatedly responding to phishing emails in spite of training insecurity the employee may have to be terminated, and this involves creation ofpolicy and procedure by HR department. Furthermore, during the incidentresponse, certain employees may need over time and others may be called inwhile they are off work, and the HR needs to be involved while planning for suchsituations.Information security experts: They are security analysts andmalicious logic experts who are responsible for research, forensics, andresponding to malicious logic infections of an incident. They are experiencedprofessionals in network security, application security products, and attackmethods. They are included in the IR planning committee as their research givesthe details of the incident and actions involved in responding to the incident.
Legal counsel: The legal department reviews the incidentresponse plan, policy, and procedure so that the steps the IR team performs arewithin the legal guidelines. In addition, it also reviews non-disclosureagreements that support incident response actions. If the incident affectsvendors and business partners, the legal experts will be involved in assessingand managing the liabilities. The Legal counsel will also guide in the creationof service level agreements and contracts. Furthermore, if the incidentinvolves stealing intellectual property or copyright infringement, they willprovide legal guidance for the prosecution. In cases where reporting on theincident is necessary because of government regulations, the legal counsel willreview the requirements for reporting. The legal counsel acts as a filter forthe public relations team when the information about the incident is needed tobe made available to the public.
Marketing: The marketing department is responsible forraising the employee awareness and understanding of security policies bydeveloping and distributing educational materials. The marketing team will alsowork with the legal counsel to communicate internally within the organizationabout the incidents. The public relations team of the marketing department hasto get involved with the legal department in order to communicate about theincidents to the customers, media, and investors.
In addition to that, theyhave to be involved with the technical team, who can translate the technicalterminology into something a normal person can understand, so that they canpresent the technical information in an approachable manner to broaderaudiences. The marketing team must be a part of IR planning committee alongwith the legal department and the technical department because it has to planand practice on being the public face of the incidents.Physical security: This team is responsible for detecting,using different intrusion detection technologies, the physical intrusions intoan unauthorized area. It also involves allowing the IR team to access thesystems at the intrusion location for recovery. Physical security team canassist in planning for such breach of physical security incidents being in theIR planning committee.Documentation specialists: Including a documentationspecialist in the planning committee results in clean documentation thateveryone in the IR team can understand regardless of their department.
Apart from the abovementioned internal stakeholders in IR planning committee, there can also beexternal stakeholders included, after the necessary nondisclosure agreementsare signed, such as the following:Vendors: The software and hardware vendors can be includedon the planning committee as they can provide important patches,troubleshooting guidance, etc. Contractors: If the incident cannot be resolved inside theorganization, the job can be given to outside contractors. In such cases,contractors can be included in the IR planning committee.