An incident can have many business implications and is not
just a technical issue. For this reason, the incident response committee has to
be made up of individuals from different departments to give as many
perspectives as possible. The following stakeholders, who represent the
cross-section of an organization, can be included as the personnel in the
incident response committee:
Management: The management is the most important stakeholder
as it is responsible for supporting all the incident response processes
financially, through the budget process. In addition, it is also in charge of
conveying the significance of security to each level of the organization;
therefore, the management’s endorsement of the incident response plan brings
legitimacy to the IR procedure. It is also responsible for signing off the
documentation that details the authority of the IR team during the incident.
They have to pre-approve shutting down of vital systems and services if needed
to limit the spread and effect of the incident.
Subject matter experts: They are the technical personnel who
are experts in different departments such as database administrators, network
administrators, developers, system administrators, etc. They have the necessary
technical expertise to assist with the IR plan and can provide appropriate
actions to be taken as a response.
Human resources: The HR department assists with handling the
employees in the incident related to the employee actions. For instance, if an
employee violates the organization’s policy by sharing confidential information
with or without malicious intent, plugging in a flash drive when it is against
the policy, or repeatedly responding to phishing emails in spite of training in
security the employee may have to be terminated, and this involves creation of
policy and procedure by HR department. Furthermore, during the incident
response, certain employees may need over time and others may be called in
while they are off work, and the HR needs to be involved while planning for such
Information security experts: They are security analysts and
malicious logic experts who are responsible for research, forensics, and
responding to malicious logic infections of an incident. They are experienced
professionals in network security, application security products, and attack
methods. They are included in the IR planning committee as their research gives
the details of the incident and actions involved in responding to the incident.
Legal counsel: The legal department reviews the incident
response plan, policy, and procedure so that the steps the IR team performs are
within the legal guidelines. In addition, it also reviews non-disclosure
agreements that support incident response actions. If the incident affects
vendors and business partners, the legal experts will be involved in assessing
and managing the liabilities. The Legal counsel will also guide in the creation
of service level agreements and contracts. Furthermore, if the incident
involves stealing intellectual property or copyright infringement, they will
provide legal guidance for the prosecution. In cases where reporting on the
incident is necessary because of government regulations, the legal counsel will
review the requirements for reporting. The legal counsel acts as a filter for
the public relations team when the information about the incident is needed to
be made available to the public.
Marketing: The marketing department is responsible for
raising the employee awareness and understanding of security policies by
developing and distributing educational materials. The marketing team will also
work with the legal counsel to communicate internally within the organization
about the incidents. The public relations team of the marketing department has
to get involved with the legal department in order to communicate about the
incidents to the customers, media, and investors. In addition to that, they
have to be involved with the technical team, who can translate the technical
terminology into something a normal person can understand, so that they can
present the technical information in an approachable manner to broader
audiences. The marketing team must be a part of IR planning committee along
with the legal department and the technical department because it has to plan
and practice on being the public face of the incidents.
Physical security: This team is responsible for detecting,
using different intrusion detection technologies, the physical intrusions into
an unauthorized area. It also involves allowing the IR team to access the
systems at the intrusion location for recovery. Physical security team can
assist in planning for such breach of physical security incidents being in the
IR planning committee.
Documentation specialists: Including a documentation
specialist in the planning committee results in clean documentation that
everyone in the IR team can understand regardless of their department.
Apart from the above
mentioned internal stakeholders in IR planning committee, there can also be
external stakeholders included, after the necessary nondisclosure agreements
are signed, such as the following:
Vendors: The software and hardware vendors can be included
on the planning committee as they can provide important patches,
troubleshooting guidance, etc.
Contractors: If the incident cannot be resolved inside the
organization, the job can be given to outside contractors. In such cases,
contractors can be included in the IR planning committee.