Security-Team is currently keeping evidence in a few location, but mostly consolidated on mwlog* for now. This is owned by root at the moment which limits the team as only one member can fully manage the data. We also need a GID that we can use to manage files in general and settings etc. Additionally members of secteam who do engineering within prod (of which there is one atm) need a subset of commands.
In my mind this comes with:
secteam-admin (commands to be run generally such as tcpdump)
secteam-root (not sure if there is anything here at the moment)