Getting incident response right: Part 2