How to create a computer-emergency response team

Perhaps the most important thing needed for a successful recovery from a data breach is a prebuilt team of employees, pulled from different departments, who can lead the company out of crisis.

See related story "The do's and don'ts of data breaches"

According to security professionals and consultants, incident- or computer-emergency response teams are essential to helping an organization work through a data breach or other cyberincident, such as a worm or a denial-of-service attack, that exposes sensitive information to unauthorized access.

Poll: Does your company have an incident-response team in place?

Such teams range in size and scope depending on the organization, but they have a few basic elements in common that enable them to limit the damage done:

* Representation from all affected departments, including IT, human resources, public relations, marketing, legal, compliance and others. Identifying at least one person from each of these departments to be part of the team, sit in on meetings, and offer input and approval of response plans, is best done before an incident happens.

“If you’re in the middle of the crisis [without a response team], you would have to figure out who the right people are [in each department] and you might make some wrong decisions,” says Randy Barr, CSO of WebEx. “And people may have different ideas of what should happen. Then you’ve lost the ability to respond quickly.”

* A clear communication channel with the executive team. At WebEx, Barr built a security committee and a security council. The committee, composed of employees from a number of departments, meets once a month. Issues they can’t settle are sent for a ruling to the council, which includes officers of the company. The council meets once a quarter for thirty minutes to keep up-to-date on security issues and to provide feedback to the company’s board of directors.