The incident response team is made up of a variety of members or actors operating at different levels of frequency. Some team members are dedicated, working full time. A full-time team member may function as the response coordinator for a specific incident and as the principal investigator. Full-time team members are core members of the incident response team. Core members may perform pro-active services to identify or avoid an incident. They may also perform post-mortem activities reviewing past incidents to identify patterns or response challenges depending on the scope of response activities.
However, there are also extended members of the team including outside contractors and specialists. The extended members of the team may be regular participants involved in two or more incidents each month. This might include representatives from Human Resources or Legal departments.
Other extended team members may only be involved for specific actions or specific types of incident. Contractors that assist with forensics during a breach may not be called on often. Outside legal counsel may be contacted whenever an employee is involved in a matter where legal action is possible.
The response team may also leverage existing organizational resources for normal, operational services. The security department may be contacted to de-activate an identification badge also used for physical access to facilities. The computer help desk may be contacted to change a password if it appears to be compromised.
Engage the extended team members on a regular, pro-active basis to confirm their role and refresh their awareness. Even run desktop exercises simulating an incident response. This saves time when executing a real incident response.