The company’s senior decision-makers need to be involved in incident response planning. For starters, they should have some degree of oversight and approval in the planning process. And, perhaps more importantly, they need to be available to make key business decisions during crises as requested by the Team Leader. In order to do that effectively, they must have a clear understanding of the role of incident response. One of the most effective ways of achieving that level of understanding is to hold mock incident exercises, when a situation is stepped-through and examined closely. Role-playing exercises are covered in more detail later in this chapter in Section 4.8.

The GC should be closely involved with the incident response team from the beginning. It should be part of the planning and execution of everything that the team does, making sure that the team’s actions are in compliance with any applicable laws. For example, a common investigative process in responding to an incident is to monitor a user’s activity on a network. While practical ten years ago, such actions have strong privacy implications today, and the GC must insure they are in compliance with the law and the company’s own policies. Similarly, during an actual incident, it is often necessary to expand an investigation outside of the local area -- sometimes out of the country. Naturally, any such activity also needs to be in compliance with the laws in those areas, and the company’s GC should closely protect the company’s liability exposure during incident response operations. While such reviews and authorizations can be accomplished during the development of the incident response process, good practices dictate that the GC be kept informed during an actual incident.

Incidents involving company employees sometimes require swift HR responses, from corporate policy validation to employee counseling or termination. For these reasons, it is best to keep HR involved and familiar with the incident response team’s activities.

Similarly, incident response operations frequently require the close synchronization and support of the PS department. Restricting or removing physical access to computer systems or office spaces is important when conducting internal incident response activities involving company employees.

In almost any information systems-related incident, the IT department plays an integral role, if for no other reason than they run the computers and network systems affected by the incident. However, during our time as responders, we’ve found that IT shops frequently feel that the incident response team is an adversary when it seems to swoop in and take charge of IT staff and resources during an incident. This sort of adversarial sentiment can be destructive and should be avoided at all cost. Not only should the IT department be included in the team’s planning and execution meetings, it should be treated as a key player whose sage counsel is well respected. They should not be in any way patronized, but treated as truly integral to the incident response process, because they usually are!

An often-overlooked yet vital detail is to involve law enforcement in the planning phases of an incident response program. Law enforcement, both local and national, should be approached during the planning of the team and included to an appropriate extent. One of the most useful things is to call the local police department and talk to the person responsible for investigating white collar crimes, usually the department that investigates computer crimes. Talk to them, get to know who they are, and find out their capabilities. From your chat, you should be able to determine if they have experience with computer-related crimes and are computer savvy. By getting to know them prior to an incident, you will better understand what to expect from them -- and they from you -- during an actual incident. Likewise with national law enforcement, find out who does what. In the United States, the principal national law enforcement agencies are the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). The USSS typically investigates crimes involving financial fraud or theft, while the FBI investigates other online criminal activity. Talk to the local USSS and FBI representatives and get to know their capabilities, strengths, and weaknesses.

When an incident becomes widely known, public image is often one of senior management’s top priorities. Depending on the nature of the incident and the company’s business, the PR office’s involvement will vary, but public image and shareholder concern is always going to be a major motivator for the senior executives of the company. It is the job of the PR office to act as the company’s spokesperson and provide the executives with useful recommendations on what to say to the media. A mistake can carry disastrous results. Imagine a CEO who is not aware of the nature of the incident gets ambushed by the media, and in a panic simply says something like “No comment,” and brushes the reporters off. Most reporters will take this as a sure sign that a major incident really is taking place, even though the CEO didn’t say so. Prepare the entire team on what to say before the media asks for information; this can mean the difference between an image of a confident company correcting a minor problem and a company that has been overwhelmed by a security incident and is in a state of chaos. The PR office needs to be constantly informed of any even slightly substantive incident. As a corollary, the PR office should report media reports regarding the incident to the Team Leader -- such information is invaluable in drafting the incident report and determining the severity of the incident. We’ve found that there are three answers to such questions:

Anything else will send the reporters on wild hunts to dig up dirt, since they know you’re hiding something. Stay on top of rumors and media relations.

Although the board of directors isn’t always involved in the day-to-day operations of a company, it is frequently approached as senior executives by media, customers, and other companies. The directors can thus be vital parts of a company’s overall image, at the very least. Further, they are in charge of making the strategic decisions on the company’s direction. And, aside from the fact that they are likely to call and ask for it regardless, it is important to provide them with accurate and timely information during major incidents. The trick is in giving them the right amount of information. It is usually best for the incident response team to work with the senior management to put together information updates for the directors in a format that best suits everyone. The directors will need accurate information on major incidents and the incident response team would be well served to anticipate that and prepare executive-level briefings.

Clearly, any business unit that is impacted by an incident is going to rapidly become an integral part of the incident response process. However, it can make a lot of sense to inform the senior management of other business units as well. For example, if the media smells a story, they are likely to start making phone calls to everyone and anyone that they know in the company. If the PR office has worked with senior management, who, in turn, has briefed its employees on the company policy and procedure for media inquiries, the story that gets published is much more likely to contain the information the company wants to see in it. Furthermore, other business units, even if not directly impacted by an incident, may be indirectly impacted by it. Keeping the senior managers updated on the status of events will work wonders in controlling the rumor mill that accompanies every major incident.