Business Continuity Event Planning: The Incident Response Team

In previous posts, we stepped through how to prepare for a business continuity event.   This week, we begin examining building a response team and developing a plan to effectively respond to an event.

Overview of business continuity event (BCE) response

No amount of planning or redundancy can prevent process failure.  When a BCE occurs, an effective response helps ensure minimal impact on customers, employees, and investors.  It also provides input into a process which incrementally improves both prevention and response.  Other benefits include,

  • The safety of employees is enhanced
  • Corporate liability due to lack of diligence is mitigated
  • Regulatory requirements are met
  • The organization’s public image is protected by a fast, professional response

Figure 1 depicts the BCEM process introduced in Part 1.  Response team responsibilities include detection, containment and mitigation, analysis, and remediation and measurement. 

Figure 1: BCEM Cycle

Building an Incident Response Team (IRT)

A BCE IRT is similar to a computer emergency response team (CERT).  However, it’s more inclusive.  A CERT typically focuses on security breaches and malware infestations, while a BCE IRT responds to any event which causes a degradation or failure of service delivery.  So for the purpose of our discussion, CERT responsibilities are a subset of those assigned to a BCE IRT.

Having the right segments of the business represented on the IRT is as important as understanding an effective team structure.  The following sample team description addresses both.

  • Team Manager.  The team manager has overall responsibility to ensure business objectives are met during a response.  He or she is also responsible for communicating status to senior management.
  • Technical Lead.  The technical lead is charged with assessing impact on the technology infrastructure.  He or she is also responsible for containment and recovery activities as they relate to information processing technology.  The technical lead supervises the following members of the IRT:

    • One or more network engineers
    • One or more programmers
    • One or more server engineers
  • Public Relations.  This person is responsible for communicating with investors, the press, and other outside entities.
  • Security.  Security encompasses facility, personnel, and information security.  If these are separate departments, each should be represented on the IRT.
  • IS Support.  The support team can

    • Assist with containment
    • Establish alternate methods of information processing when primary systems or network paths are disrupted
    • Assist with system recovery tasks
  • Facilities Management.  Responsibilities for resolving power issues, locating and coordinating the move to alternates, and structural assessments and repair fall here.
  • Labor Union.  If an organization’s employees are represented by a union, getting union leadership to the table can help diffuse possible reaction to unusual management decisions and provide employee perspectives of events.
  • Representatives of Critical Business Functions.  When a single process fails, it might be enough to have one or two administration or operations teams represented.  However, a catastrophic event requires broader scope.  Prior to any event, representatives from critical areas of the organization should be identified, including:

    • Payroll
    • Accounts receivable
    • Human resources
    • Legal
    • Other financial services
    • Clinical services
    • Production management
    • Transportation

Preparing the team

Once the team members are identified, they should meet to begin building an incident response plan (IRP).  The plan should include all activities related to containing and mitigating effects and improving future response.  The plan is then used to train the team.

Thorough training produces a team which reacts to events quickly, without confusion.  It helps ensure all members understand their responsibilities, the roles of others, and team cooperation when it’s needed most.

The next post examines detection, containment, and mitigation activities.

For more information on CERT incident management, see Security Incident Management.

Copyright © 2008 IDG Communications, Inc.

8 pitfalls that undermine security program success