Internal Teams

The next type of incident response team is an internal team. These teams are loosely modeled on the public CERT model, but are set up and funded to serve a much more limited community, such as a single corporation. Because they are smaller than public CERTs, internal teams can provide the sort of attention necessary for an organization to respond to incidents. Unlike a public team, the internal team is fully aware of all of the policies, procedures, and sensitivities of the organization. Also, by focusing inward, an internal team can usually call upon the resources of the entire organization when responding to an incident. Specialized technical talent, for example, can be matrixed into the team on an as-required basis.

Typically, internal teams are either funded through the corporate offices of the parent organization or are available on a charge-backbasis, in which case the business unit pays for the services provided by the team’s resources. Hybrid funding can also be effective. For example, the corporate offices pay the basic recurring expenses such as salaries and training, and business units only pay for the on-site services that are above and beyond the norm, such as travel and other expenses incurred by the team in responding to an incident.

The issue of where to place the incident response team internally is very important, and has led to an enormous amount of strife inside organizations attempting to create their own response teams. Some say that incident ...

Get Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.