Establish a RACI for incident response. The following roles should be included:
Security Architecture
Security EngineeringIncident Response
Security Operations Center
Digital Forensics
Incident LeadChief Information Security Officer
MSSPThird-Party IR
Include the following tasks:
Write team charter
Write IR plan
Write RFP for MSSP and TP IR
Collect evidence
Triage alerts
Respond to incident
Design security toolsImplement and maintain security tools
Manage incident
Supplement security operations
Supplement IR
Establish and submit budget
Report security issues to the board