For Organization Chart & Module click here
Roles & Responsibilities of IR Team
IR Management-
- Management Staff
- Ownership of Incidents lies with IR Management & IR Core Team
- Presides over information shared with public or customers
- Tracks progress for Incidents from IR Core Team or its Lead
- Need not be technical staff
IR Core Team-
- Ownership of incidents lies jointly with IR Management & IR Core Team
- Consists of Infosec Experts, Incident Handling Experts, Disaster Recovery Experts, Forensics Experts etc.
- Strategize the security infrastructure chnges & implementations aligning business goals
- Domain Experts are here, while Technical Assessment Team may also have a few domain experts
- Tracks attack scenario through Technical Assessment Team
- Reports attacks to Contact Lead or technical assessment team as required if any
- Reports directly to IR Management the progress and ROI for security infrastructure
- During incident IR Core Team & Technical Assessment Team may coordinate and act as a single team to solve issues faster
- Coordinates with Legal Officers in Secondary IR Team during process
Communication team-
- Consists of Public Relations Officer for public or media communications
- Consists of Contact Lead, anyone who notices an incident will report to him/her
- Communicates with the larger audience like employees under situations where help is needed, only if IR Core Team directs
- Under situations of breech, customers need to be informed, however IR Management should be involved here
Public Relations Officer-To tackle any public or media inquiry, this should be the resolving point. Communication is main as Incidents will pass on brand value and it is best done by the public relations officer or team.
IR Technical assessment & Forensics team-
- Consists of Network & System engineers,System & DB admins,Social Engineers
- Post Incident Data Collection, Preservation & Tracking the incident by Forensic experts
- Forensic Experts will identify evidence and use standard techniques for preservation
- Assessing data loss,infected system and isolation of such systems
- Assessing 'Escalation Levels' on event of incident and consult IR Core Team
- Incorporating further steps for best prevention and seal backdoors after consulting IR Core Team
- Maintains log of all Handled Incidents with corresponding steps used to control/solve it. Technical Support should have atleast read access to this file.
Technical Support Team or IR Support Team-
- Provides all support during incident
- Actions will be directed by Technical Assessment Team
- Check incident log and guide accordingly as earlier incidents
- If incident nature is new, needs to be escalated and involve Technical Assessment Team
- Depending on the size of the organization separate support teams may be used to better support incidents vs technical issues.
(Read more: How effective is your SIEM Implementation?)
Secondary IR Team(HR,Legal,Training)-
- Consists of HR,Training staff,Finance,Legal,Audit staff
- Legal & Finance staff is Involved in various stages of Incident
- HR & Training staff involved in resource management and skills
- Training staff is highly technical and can participate actively during incident
- Training staff is also responsible for awareness in the enterprise for easier attack identification and to reduce common man errors like phishing etc.
CSIRT Team pg 23 http://www.sans.org/reading-room/whitepapers/incident/creating-mana...
http://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_1409...
http://www.sans.org/reading-room/whitepapers/incident/implementing-...
https://technet.microsoft.com/en-us/library/cc700825.aspx
http://www.sans.org/reading-room/whitepapers/incident/computer-inci...
Incidence Resp. & Forensics-Johnson 111
Comments