Incidents involve both a source and destination. Sometimes they are one and the same, and sometimes both are victims. Once you have thoroughly explored the question of “What is the problem?” and developed a realistic list of likely incidents, you’re ready to move on to the next step in the planning process: defining who the clients are (clients are commonly referred to as a constituency in the incident response community). You should clearly articulate who the team is expected to be serving. Depending on the nature of your team, this can be a trivial exercise or it can be not so trivial. For example, a corporate team should be able to clearly say that its client base is anyone in the company experiencing an information protection crisis. On the other hand, a public resource team might have a tougher time defining its clients. Even for a corporate team, however, the lines aren’t always so clear. How about contractors’ outsourced systems, application hosting providers, networked partners? Are they covered by the team on behalf of the corporation? Or, if the corporation is a large one, it is likely that there are subsidiary companies, or that the team itself resides within a subsidiary company. In these cases, are the subsidiaries covered during an incident?