Prior to building the incident response program, specific capabilities must exist. At a minimum, these should include adoption of a chosen framework; an understanding of the assets the entity must focus on protecting; documentation of the risks to the confidentiality, integrity, and availability of the assets; and assurance that all fundamental protective capabilities exist. Examples of these capabilities include:
Access-control processes and restriction of elevated privileges
Protection from misuse of data in motion, in use, and at rest
Hardening of hardware, based on ...