so people know what to do, their priorities, who does it with preapproved authorization to spend money or use time.
turn off compromised systems
disconnect from network
Resources available for response:
people of correct skills
tools to get info about activities
external support: security response organizations, consultants, law enforcement
implies some public awareness of incident.
Legal review of plan: so it's enforceable & defensible
consistent with other policies & procedures
best practices in the industry