The Incident Response Policy is intended to ensure that, in the event of a security incident, parties affected are informed and the Company will take the proper action to assess and resolve the situation, both in a timely manner.
The Incident Response Policy applies to all employees, guests, clients, vendors and contractors of the Company. The Incident Response Policy includes all computing or network devices owned, leased, or otherwise controlled by the Company. Incidents involving confidential information apply to any computer or network device, regardless of ownership, on which confidential or restricted information is stored or by which access to confidential or restricted information might be gained.
The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
Safety – If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Urgent concerns – Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate staff shall be made available for consultation in such cases.
Scope – Work to promptly establish the scope of the incident and to identify the extent of systems and data affected.
Containment – After life and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence – Promptly develop a plan to identify and implement steps for the preservation of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen information. Preservation of evidence should be addressed as quickly as possible in order to restore availability of the affected systems as soon as practicable.
Investigation – Investigate the causes and circumstances of the incident, and determine future preventative actions.
Incident-specific risk mitigation – Identify and recommend strategies to mitigate the risk of harm arising from this incident. If, in the judgment of the DPO, the incident might reasonably be expected to have exposed confidential or personally identifiable information, a Senior Response Team be established. The Senior Response Team will determine which parties or individuals to notify of a Security Incident, who will make the decision to disclosure to individuals, and which parties will do the actual disclosures. In making this determination, the following factors shall be considered:
- Legal duty to notify
- Contractual obligation to notify
- Length of compromise
- Human involvement
- Sensitivity of compromised data
- Existence of evidence that data were compromised
- Existence of evidence that affected systems were compromised for reasons other than accessing and acquiring data
- Additional factors in consideration by members of the Incident Response Team or Senior Response Team
The Company shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken.
The Company shall issue a report for every confidential information Security Incident describing the incident in detail, the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
The Company shall provide annually to the DPO a report containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.