The process should be controlled by policy-defined individual(s):
In some cases, policy defined an individual responsible for incident handling. This is typically the CISO for anything related to information protection. The CISO then manages the incident handling process appropriate to the need. Typically, the CISO will create teams such as those identified in the above process, be depending on the size and nature of the organization, other structures may be used.
The process should be controlled by the individual first encountering the incident.
When nothing else is defined, whoever identifies something as an "incident" will likely proceed in their own way to deal with it or not as they see fit. While this is not normally advised, it is de-facto what happens when nothing else is put in place to systematically manage the process.
The process should be managed through a defined workflow process.
A defined workflow process is generally in place for any enterprise of managed or higher maturity. The workflow process may involve automation, such as help desk ticketing systems or other similar mechanisms, and may also involve manual processes like checklists or other standard approaches that are known to workers. Generally, these processes are documented if the enterprise operates at the managed level or above.
The process should be managed through a process defined by policy but not codified in work flow
In cases where the enterprise has defined processes, but does not have a workflow mechanism or has yet to codify incident response in terms of such a system, the policy-defined process should be used. This is most often the case in an enterprise operating at the defined maturity level, but that has not yet, or does not with to operate at the managed maturity level or above.
The process should be managed through a an ad-hoc process:
In enterprises operating below the "defined" level of maturity, or for situations in which no defined process exists because of novelty or incompleteness of the defined processes, an ad-hoc process is necessary, but it should follow other aspects of enterprise process. This should be done at the repeatable maturity level and definitions and process updated to adapt for future incidents of similar types.
The process should be managed however the responders deem appropriate
In cases where there is little or no definition of process and the enterprise is operating at the initial or repeatable maturity level only, whoever is responding to an incident will do whatever they do.
The enterprise should engage internal workers.
Enterprise employees or other internal workers are generally used in incident response when a sufficient internal capability is in place because there are sufficient incidents to warrant such a team; or in cases when the issues are so sensitive that external workers would be unacceptable for one reason or another. Internal workers tend to know a lot more about how internal systems operate, especially when custom infrastructure, applications, or configurations are in use. They also tend to be intimately involved with day-to-day issues and better understand the enterprise and how it works.
The enterprise should engage outside technical assistance
Outside technical assistance is often required in incident handling when internal teams don't handle a lot of incidents and therefore don't have the knowledge and experience in handling them well, or when specialized knowledge or additional personnel are required, or less often, in cases when there are legal issues or the potential that insiders are involved, mandating external expertise be used. Many companies outsource standard network intrusion processes to other companies that specialize in this area, but use internal experts for platform intrusions or special cases.
The enterprise should engage outside private investigative assistance.
Whenever hunting down people or seeking the source of an incident, rather than just dealing with repair of affected mechanisms and restoration of utility, an investigative process is required. Unless adequate internal investigation expertise is in hand and independent of the incident, outside private investigations are required. Generally, when an insider is suspected and the incident is serious, an outside expert is called in, if only to augment internal teams.
The enterprise should engage law enforcement.
When a crime has been committed, especially when there is a threat to personal safety: involving law enforcement is vital. Failure to call law enforcement for certain types of matters may result in legal liabilities. For example: if a threat to health and safety is made via computers and it appears to be serious: private detectives may be the first call: but if such cases escalate, law enforcement is critical. If there is internal criminal activity: not calling law enforcement may turn decision makers into accessories after the fact and expose corporate officers to civil and criminal liability. For certain classes of crime: reporting to regulatory agencies may also be mandatory. As a rule. it is important to have thought through the possibilities in advance and to have a policy about when to call law enforcement. If this sort of decision has to be made in real time: errors can be very costly.
The enterprise should engage outside counsel.
Whenever legal issues arise and internal legal expertise is either not staffed to the level required to manage such matters or doesn't have the specific legal expertise required to handle the case, outside counsel should be brought in. Outside counsel is also used in cases involving top executives because of the potential conflicts of interest and potential for attempts to influence inside counsel or have the perception of such attempts.