The Incident Response Policy is intended to ensure that, in the event of a security incident, parties affected are informed and we will take the proper action to assess and resolve the situation, both in a timely manner.
This policy applies to all of our employees, clients, vendors and contractors. It also includes all computing or network devices owned, leased, or otherwise controlled by us. Incidents involving confidential information apply to any computer or network device, regardless of ownership, on which confidential or restricted information is stored or by which access to confidential or restricted information might be gained.
Any intrusion attempts, security breaches, theft or loss of hardware and other security related incidents perpetrated against us must be reported to the Data Protection Officer (hereafter referred to as the “DPO”). Anyone with knowledge, or a reasonable suspicion, of an incident which violates the confidentiality, integrity, or availability of customer information, should make an immediate report to the DPO. Customers can contact firstname.lastname@example.org to report an incident.
A) The DPO, in collaboration with other appropriate staff, shall determine if a reported incident is a confidential information “Security Incident”.
B) If the incident is not considered a confidential information Security Incident, the incident shall be referred to an authorized employee who shall insure that the incident is handled according to standard procedures. If a customer reported the incident, they shall be notified of actions taken.
C) If the DPO, in collaboration with other applicable staff, determines that the incident is a confidential data Security Incident, an Incident Response Team is formed. The purpose of the Incident Response Team is to determine a course of action to appropriately address the incident. The DPO shall designate the membership of the Incident Response Team. Normally, membership will include individuals with primary responsibility for the compromised data and the DPO. If an institutional customer reported the incident and their confidential data was directly affected, the Incident Response Team will notify the customer that the incident has been escalated and an Incident Response Team has been formed.
It is the responsibility of the Incident Response Team to assess the actual or potential damage caused by the Confidential Data Security Incident, and to develop and execute a plan to mitigate that damage. Incident Response Team members will not share information regarding the incident outside of the team unless it is on a need-to-know basis and only after consultation with and consensus by the entire team. The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
Safety – If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Urgent concerns – Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate staff shall be made available for consultation in such cases.
Scope – Work to promptly establish the scope of the incident and to identify the extent of systems and data affected.
Containment - After life and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence – Promptly develop a plan to identify and implement steps for the preservation of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen information. Preservation of evidence should be addressed as quickly as possible in order to restore availability of the affected systems as soon as practicable.
Investigation – Investigate the causes and circumstances of the incident, and determine future preventative actions.
Mitigation - Identify and recommend strategies to mitigate the risk of harm arising from this incident.
Prevention – We shall analyze every confidential information Security Incident, create a report describing the incident in detail the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
Record Keeping – We shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken. The DPO will maintain an internal record containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.
If, in the judgment of the DPO, the incident might reasonably be expected to have exposed confidential or personally identifiable information, a Senior Response Team be established. The Senior Response Team will determine
- which parties or individuals to notify of the Security Incident
- who will make the decision, based on the prevailing information, to notify individuals involved.
- which party will perform the notifications to affected individuals.
In making this determination, the following factors shall be considered:
- Legal duty to notify
- Contractual duty to notify
- Length of compromise
- Human involvement
- Sensitivity of compromised data
- Existence of evidence that data were compromised
- Existence of evidence that affected systems were compromised for reasons other than accessing and acquiring data
- Additional factors in consideration.
Once a determination has been made, the DPO will immediately notify the customer affected by the Security Incident and take appropriate next steps in coordination with their internal information security team.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.