We’ve covered most of the basic administrative, management, and political issues that a team planner is likely to face in implementing an incident response team. Now, the issues are more operational in nature. That is to say, the planning should turn to address the issues that most directly impact what the team will be doing, by whom, and for whom. With that in mind, what sort of incidents should the team anticipate? Anticipating what type of incidents to expect is, in essence, answering the question of “What is the problem?”; once you understand the problem, you can develop a solution set. Let’s preface an answer to that question by saying that, in the over fifteen years that we’ve been performing incident response operations professionally, we’ve never hit a steady state condition in which we have the luxury of simply coasting on past experiences without new situations cropping up. Nearly every incident we’ve worked on has presented a new challenge, whether technical, procedural, legal, or from a human interaction standpoint. As we’ve learned, Murphy loves to ride along and lend his unique brand of assistance during incidents. That having been said, what sort of incidents should you plan for?

Much of the answer to that question comes from within your own company. What sort of incidents have you seen to date, in the absence of a formal incident response program? Although it is possible the answer to that is unknown or undocumented, it is likely the question can ...