Computer Incident Response and Product Security: Operating an Incident Response Team

Chapter Description

This chapter covers aspects of running an incidence response team (IRT) such as team size, team member profiles, cooperating with other groups, preparing for incidents, and measuring success.

Advertising the IRT’s Existence

It is not sufficient only to have a team; other people must know about it. The team’s existence must be announced internally within the constituency and externally to other teams. Only when people know about the team will they ask the IRT for help. One of the more obvious things is to set up a website that explains what the team does and how it can be reached. But that should not be the end of the effort. A website is passive. The team must invest energy and actively introduce itself. That advertising can take many forms and not be limited to the following:

  • Attend and present at conferences and meetings.
  • Send letters to appropriate people within and outside the constituency.
  • Print posters and place them at visible places within the organization.
  • Print and give away mugs, pens, stationery, or similar giveaway items.
  • Include information about the team in new hire documentation packets, sales material, or a service offering prospectus.
  • Meet with key people within and outside the constituency, and talk to them about the team and its purpose.
  • Print an advertisement in a magazine or newspaper. Give interviews.
  • Broadcast an advertisement on the radio or TV.
  • Publish research papers or books.

All these actions can announce the team’s existence, its goals and missions, and publicize its achievements. Another goal, when possible, is to seek feedback on the team. How it is fulfilling its mission and how to improve. Nobody is that good that there is no room for improvement.

