It is the responsibility of the Incident Response Team to assess the actual or potential damage caused by the Confidential Data Security Incident, and to develop and execute a plan to mitigate that damage. Incident Response Team members will not share information regarding the incident outside of the team unless it is on a need-to-know basis and only after consultation with and consensus by the entire team. The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
Safety – If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Urgent concerns – Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate staff shall be made available for consultation in such cases.
Scope – Work to promptly establish the scope of the incident and to identify the extent of systems and data affected.
Containment - After life and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence – Promptly develop a plan to identify and implement steps for the preservation of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen information. Preservation of evidence should be addressed as quickly as possible in order to restore availability of the affected systems as soon as practicable.
Investigation – Investigate the causes and circumstances of the incident, and determine future preventative actions.
Mitigation - Identify and recommend strategies to mitigate the risk of harm arising from this incident.
Prevention – We shall analyze every confidential information Security Incident, create a report describing the incident in detail the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
Record Keeping – We shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken. The DPO will maintain an internal record containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.