Function of cloud security incident preparation

The primary objective for an incident preparation team is to build process maturity and muscle memory for responding to major incidents throughout the organization. This includes helping prepare security, executive leadership and many outside of security.


Practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Participants of these exercises should include:

  • Executive leadership and board of directors to make strategic risk decisions and provide oversight.
  • Communications and public relations to ensure internal users, customers, and other external stakeholders are informed of relevant and appropriate information.
  • Internal stakeholders to provide legal counsel and other business advice
  • Incident management to coordinate activities and communications.
  • Technical team members to investigate and remediate incident.
  • Business continuity integration with organizational functions that own crisis management, disaster recovery, and business continuity plans.

Microsoft has published lessons learned and recommendations in the Incident Response Reference Guide.

Team composition and key relationships

Critical partners for security incident preparation are:

  • Security operations center (SOC).
  • External counsel as needed.
  • Media and communication training.
  • External partners and government agencies, if applicable.