4-1. Intrusion attempts, security breaches, theft or loss of hardware, and other security-related incidents perpetrated against the Company must be reported to the Data Protection Officer (hereafter referred to as DPO). Anyone with knowledge, or reasonable suspicion, of an incident that violates the confidentiality, integrity, or availability of digital information, should make an immediate report to the DPO.
4-2. The DPO, in collaboration with other appropriate staff, shall determine if a reported incident IS or IS NOT a confidential information “Security Incident”.
4-3. If the incident IS NOT considered a confidential information Security Incident, the incident shall be referred to an authorized employee who shall ensure that the incident is handled according to standard procedures.
4-4. If the DPO, in collaboration with other appropriate staff, determines that the incident IS a confidential data security incident, an Incident Response Team is formed. The purpose of the Incident Response Team is to determine a course of action to appropriately address the incident. The DPO shall designate the membership of the Incident Response Team. Normally, membership will include appropriate individuals from offices with primary responsibility for the compromised data and the DPO.
4-5. It is the responsibility of the Incident Response Team to assess the actual or potential damage to the Company caused by the Confidential Data Security Incident and to develop and execute a plan to mitigate that damage. Incident Response Team members will not share information regarding the incident outside of the team unless it is on a need-to-know basis and only after consultation with and consensus by the entire team.
The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
Safety – If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Urgent concerns – Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate staff shall be made available for consultation in such cases.
Scope – Work to promptly establish the scope of the incident and to identify the extent of systems and data affected.
Containment – Afterlife, and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence – Promptly develop a plan to identify and implement steps for the preservation of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen
information. Preservation of evidence should be addressed as quickly as possible in order to restore the availability of the affected systems as soon as practicable.
Investigation – Investigate the causes and circumstances of the incident, and determine future preventative actions.
Incident-specific risk mitigation – Identify and recommend strategies to mitigate the risk of harm arising from this incident. If in the judgment of the DPO, the incident might reasonably be expected to have exposed confidential or personally identifiable information, a Senior Response Team be established. The Senior Response Team will determine which parties or individuals to notify of a Security Incident, who will make the decision to disclosure to individuals, and which parties will do the actual disclosures. In making this determination, the following factors shall be considered:
● Legal duty to notify
● Contractual obligation to notify
● Length of compromise
● Human involvement
● Sensitivity of compromised data
● Existence of evidence that data were compromised
● The existence of evidence that affected systems was compromised for reasons other than accessing and acquiring data
● Additional factors in consideration by members of the Incident Response Team or Senior Response Team
The Company shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures are taken.
The Company shall issue a report for every confidential information Security Incident describing the incident in detail, the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
The Company shall provide annually to the DPO a report containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.