In 2005, I conducted a webcast for the SANS Institute (SysAdmin, Audit, Network, Security) on incident management with a gentleman by the name of Matthew Klunder, a senior consultant with a big four consultancy firm. Together we explored the makeup of a strong incident management program and received some excellent feedback from SANS listeners. Since the webcast was tightly associated with ESM capabilities for incident management, I decided to build this chapter on the framework we used, and to include the details we garnered from listener feedback. This chapter will help summarize the ...