Drafting the response plan includes four main activities, according to Kenneth van Wyk, coauthor of Incident Response and director of technology for Tekmark Global Service's technology risk management practice. First, pull together a response team that broadly represents the entire organization - HR, legal, media relations - and build a phone list to make alerting the necessary people more efficient. Then, create an incident reporting form - a checklist of sorts - to help document the incident and track costs along the way. Next, build a flow chart detailing the process that the team should follow during an incident. And finally, map out a post-incident review process to ensure continuous improvement with your overall plan. Each part will play an important role in helping you deal with incidents before, during and after they occur.

Go Team

Incident response teams go by different names in different companies: Some call it the IRT; others use the acronym CIRT or CSIRT, for computer security incident response team. Whatever you call it, the group is pretty much your version of a SWAT team, called into action when a computer incident occurs.

Because every incident (and its potential effect on your systems) has its own particular traits and required responses, it's important to first get a grasp of the kind of incident-handling expertise your network staff and others on the team already have, says Walt Foultz, director of IT security for Farmers Insurance Group. "Incident response is not only a security activity," he says. "All sources of qualified and competent assistance must be assessed so you can be sure, collectively, that you have the skills to handle the job."

During the early stages of creating an incident response program, Foultz suggests surveying your potential team members to scope out the depth of their incident response skills and technical knowledge. Find out if anyone has a specialty, such as dealing with network probes ore-mail viruses. Foultz gives his own staff verbal pop quizzes to make sure they know their stuff. "One technique I use is to set up hypothetical situations, and they have to tell me what they'd do," he says. He also makes sure every staff member allocates a percentage of her regular work time to learn about the latest cyber incident trends and security technologies. "We do that with individual training and by disseminating internal research to the team through management and scheduled awareness sessions," he says.

How your team is structured depends on the skills and available resources within your company. Large companies often have response teams staffed with people dedicated solely to handling incidents, while smaller companies often create a team consisting of a core group of people from several IT and business departments who get tapped if something happens.