Creating and maintaining an up-to-date list of people, phone numbers, pager numbers, and email addresses is tedious, boring, and time consuming. And yet, not having one (or having an incomplete or incorrect one) -- is the kiss of death for a response team. As mentioned in the opening paragraphs of this book, one of the first lessons an incident response team learns is that all major incidents start on Friday afternoons. Also, major incidents almost always involve intense, stressful activities during the wee hours of the night. Not being able to get in touch with a vital contact such as a system administrator at 3:00 a.m. when the person is really needed to help out can be disastrous.

That being the case, a good contact list should be considered as the team’s most valuable asset. The list should be checked frequently, updated, and readily accessible to all the team members. That isn’t to say that it needs to contain every person in the company or contracted by the company to assist in an incident. In some cases, calling the 24x7 Network Operations Center requesting that So-and-So be paged is sufficient.

The contact list should contain information about the person’s job function, authority, and perhaps skill sets, making it as easy as possible for the response team to find a person when needed. If the team doesn’t know the person by name, then they should be able to look up the person by position, organization, job function, or skill set.

This all sounds wonderful and easy to do, but the truth is that it is anything but easy. Populating the list or database is difficult enough, but maintaining it when someone leaves the company or changes jobs can be next to impossible. So, another piece of information for each record should be the date that the information was last updated or verified. Tracking that can help flag entries that haven’t been cared for in a long time -- depending on your company’s definition of “long” -- and alert someone to verify it. Part of the team’s “other duties as assigned” should be to keep the database up to date.

As a final note on this topic, be sure to include the people who are essential in the incident response process regardless of whether they work for the company or not. The contacts should include local and national law enforcement, external incident response teams, and technical experts who are on contract to support critical systems.