...
- Who might be pulled into an incident response activity and what are their responsibilities?
- What counts as a real incident? How do you rate the criticality?
- How do you contain common kinds of incidents, such as, account compromise?
- How do you determine when a service can be returned to normal operations or an account restored?
- How do you securely communicate with everyone one who is investigating and responding to an incident?
[IR3]
The capability to collaborate in the handling of a security incident with affected service and resource providers, communities, and infrastructures.
I don't really know what is here that isn't already covered by procedures and communication channels. If this is about communicating with external infrastructures, then maybe all it is about is having a security point of contact and participating in relevant trust groups –Adam.
[IR4]
Assurance of compliance with information sharing restrictions on incident data obtained during collaborative investigations. If no information sharing guidelines are specified, incident data will only be shared with site-specific security teams on a need to know basis, and will not be redistributed further without prior approval.
A good privacy policy would cover this, but so would an understanding that the security team has some autonomy and shares on a need-to-know basis.
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...