George Wade, Lucent Technologies' regional security manager for North America, recommends casting a wide net when choosing your incident response team. The ideal team should include members of your IT security team who know the company's networks, applications and systems inside and out. Don't forget to include representatives from other departments in the company. Not all CSOs will include people from media relations on their response teams, Wade says. "But if someone defaces your corporate website and reporters suddenly start calling, you'll understand very quickly how important it is to have a company spokesperson informed and involved," he explains.

Some companies decide to involve their disaster recovery or business continuity departments in their response teams - the reason is that other voices often prove helpful when things really go wrong and systems need to be shut down completely.

The team also needs a certain degree of flexibility. "Response teams shouldn't be static," Wade says. "They can be added to or subtracted from at any time if you decide that something needs to change."

Once the team is in place, you'll need to create a contact list - a staple of any response plan, says van Wyk. "If you overlook creating one, you do so at your peril," he says. It's essentially a phone tree, including emergency phone, pager and e-mail information for members of your incident response team. The list should also include contact information for outside authorities, such as local and state police, the FBI, CERT and any third-party provider that your company may rely on for backup assistance. Contacting the authorities won't be necessary for every incident, but it's good to have the information at your fingertips.

For continuity purposes, list contacts according to job function, authority and skill set rather than by name. That way, if someone leaves the company, you won't have to rework the entire list. It also means that there's a clear reporting structure in place: When an incident occurs at 3 a.m., for instance, and the system administrator sleeps through his pager alarm, the team member who discovers the incident can quickly alert the next person in the chain of command.