MGT535: Incident Response Team Management

Provided by SANS
Qualification level
Study type
Distance learning
View Website
View Website

About the course

This course discusses the often-neglected topic of managing an incident response team. Given the frequency and complexity of today's cyber attacks, incident response is a critical function for organizations. Incident response is the last line of defense.

Detecting and efficiently responding to incidents requires strong management processes, and managing an incident response team requires special skills and knowledge. A background in information security management or security engineering is not sufficient for managing incidents. On the other hand, incident responders with strong technical skills do not necessarily become effective incident response managers. Special training is necessary.

The course has been updated to address current issues such as advanced persistent threat, incident response in the cloud, and threat intelligence.


Course Syllabus

MGT535.1: Incident Response Team Management

CPE/CMU Credits: 6


  • Incident Response - 6 Steps
  • Creating Incident Response Requirements
  • Developing Incident Handling Capabilities
  • Reporting, SLAs, Cost of Incidents
  • Setting up Operations


MGT535.2: Incident Response Team Management II

CPE/CMU Credits: 6


  • Managing Daily Operations
  • Navigating Executive Management
  • Advanced Persistent Threat
  • The Cloud
  • Legal and Regulatory Issues
  • Awareness and Outreach


Who Should Attend

  • Information security engineers and managers
  • IT managers
  • Operations managers
  • Risk management professionals
  • IT/system administration/network administration professionals
  • IT auditors
  • Business continuity and disaster recovery staff



No specific prerequisites are required for this course, but knowledge of technical terms is beneficial and will facilitate participation in class discussions. Prior to attending the course, it would be useful to gather statistics from your organization such as those listed below:

  • Incidents per month
  • Average time to detection
  • Lost devices per quarter
  • Average cost per incident
  • Annual expenditure on loss-prevention capabilities



Contact the course provider: