Starting an IH/R program

Andrew Hay started a good discussion of how to get started with an incident handling / incident response program over at the Security Catalyst forums.
There’s lots of good information in there. As poster Dave Hull notes, academia is good for practising your IR stuff. There are both lots of intrusions, and lots of weird things that look like intrusions, but aren’t.
Like some of the posters there, I’ve taken the SANS 504 course, although I’m not sure that I would characterize it as an in-depth introduction to incident handling. It is as much about how to avoid doing the handling in the first place as anything else, although there is definitely some good stuff in there on IR/IH.
I haven’t checked out the NIST publications yet, although that’s not the first place I’ve seen reference to them.