Incident Response Policy and Procedure

Purpose

When an incident occurs which affects the confidentiality, integrity, and availability of Evercam’s or our Clients’ information and associated assets, a fast, practiced response is critical to minimising the potential impact of the incident. A failure to properly plan for, and respond to, incidents may put our services, and the information of our employees, customers, and third-parties, at risk, resulting in reputational damage and potential financial loss. This document details how our organisation responds to incidents.

Scope

This procedure shall be applied to all information security incidents that may impact the information and information systems that fall within the scope of our ISMS.

Audience

All employees, contractors, and third-parties who have a role in identifying and responding to incidents that impact our information and information systems shall follow this Incident Response Procedure. These people include, but may not be limited to:

For the purposes of this document, the employees, contractors, and third-parties who have a role in our incident response procedures shall be collectively referred to as “incident responders”.

Communication

This Incident Response Procedure shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the procedure, or prior to any incident response training exercises. All contractors and third-parties providing IT and operations services, or outsourced incident monitoring and response, shall be provided with a copy of this procedure as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this procedure periodically, and following any changes. Contractors and third-parties shall also be re-issued with the latest version of this procedure when engaging in incident response training exercises.

Members of the Incident Response Team (IRT) shall retain offline copies of this document for reference in the event that our information systems become unavailable during an incident.

Disciplinary Process

Where an incident responder identifies a potential incident and knowingly ignores an incident, or fails to respond to the incident in breach of this Incident Response Procedure, they shall be subject to the disciplinary process documented in the Company Manual, or the applicable service contract.

Improvement

This document is reviewed for improvement in several ways. They are:

Management also endeavours to plan incident response procedures so that our information and information systems are not misused or compromised during a security incident, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against damaging insider activities. Where an incident responder identifies potential conflicts in the carrying out of incident response activities, incident responders should raise their concern immediately with their line manager, or the ISMS Manager.

1. Procedure

The Incident Response Procedure has been developed based on best practice principles for responding to information security incidents. Briefly, the primary stages of incident response are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons learned

The diagram below illustrates our Incident Response Procedure:

1.1 Reporting

Incident responders may become aware of potential incidents from various sources, including customers and third-parties. Our employees, contractors, and third-parties are prepared to report incidents as follows:

1.2 First Response

Once an incident responder has been made aware of a potential incident, they shall prepare for possible escalation of the incident by:

1.3 Mobilising the Incident Response Team

Once the Incident Response Lead has been alerted to a potential information security incident, they shall:

1.3.1 Meeting security considerations

To minimise the risk of unofficial communication of the incident, the venue should not be in a public area. The venue should also not be located in an area with limited access to communications.

Alternatively, the meeting may be held via conference call or other web-based conferencing services. Where there is a need to use conferencing services outside of the provided business services, the Incident Response Lead shall ensure that meeting invites to the conference or video call require authentication to join, and that the service is secure in line with our Information Systems Security Policy.

1.3.2 Determining incident criticality

Determining a criticality level for the security incident assists the IRT in deciding who to notify, and what resources are necessary to resolve the incident. For example, where the criticality is low, notifying all members of the management team may not be required.

In situations where more than one incident may be occurring, prioritising the incidents will allow them to be handled in the correct order.

Our organisation uses the below criteria to help determine the criticality of the security incident. They should be used as guidance only, and should not be considered exhaustive:

Criticality  Description 
Low
  • Less than 5 user laptops or computers infected with malware
  • Data breach of some information classified as “Internal”
  • Data breach of 1 person’s personal data
  • Unauthorised access of a user to a non-critical information system
  • Successful phishing attack on 1 user
  • Unavailability of a non-critical information system which doesn’t impact customers
Medium
  • 1 or more departments with laptops or computers infected with malware
  • Data breach of some information classified as “Confidential”
  • Data breach of personal data impacting up to 10 people
  • Unauthorised access of a user to a critical information system
  • Successful phishing attack on up to 5 users
  • Unavailability of several non-critical information systems causing disruption to business operations
High
  • Most departments and endpoints impacted by malware
  • Data breach impacting Customer Data
  • Data breach of “Highly Confidential” data
  • Data breach impacting the personal data of more than 10 people
  • Unauthorised access of a malicious attacker to critical information systems
  • Successful phishing attack which has resulted in financial loss
  • Unavailability of critical information systems impacting customers

1.4 Assessment

Once the IRT is formally assembled, they shall perform the following activities:

1.5 Containment, Eradication, & Recovery

Once the security incident has been assessed, and all necessary resources mobilised to resolve the incident, the IRT shall:

1.5.1 Handling potential evidence

Where forensic investigation of the incident is required, our organisation shall appoint a qualified third-party to carry out the investigation. However, incident responders may still need to handle and secure potential evidence. Incident responders shall:

1.6 Communication

Communication is a key element of effective incident response. Without it, incident responders may not know how or when to act, key decision-makers may not have all the necessary information required to make effective decisions, third-parties and customers may not know when to expect services to be re-established, communications officers may not know what to communicate to the public, and authorities may not be properly notified in line with legal requirements.

The IRT shall be responsible for maintaining effective communications throughout the incident by:

1.7 Incident Conclusion

While some aspects of recovery may still be ongoing, it may no longer be necessary to have the IRT mobilised. At this point, the Incident Response Lead shall:

1.8 Lessons Learned

While the handling and resolution of a security incident can be a stressful event, it is crucial that the IRT and other relevant incident responders take time to carry out post-incident analysis. Analysing the incident will allow the IRT to identify possible improvements, both in the handling of the incident, and in current security controls. The IRT shall:

2. Roles & Responsibilities

The roles and responsibilities required for carrying out our Incident Response Procedure are defined below. There may be situations where roles may be combined, or they may be carried out by the same person. The below roles and their descriptions should not be considered exhaustive:

Role  Descriptions and Responsibilities 
Incident Response Lead The Incident Response Lead is the first point-of-contact for the IRT. The Incident Response Lead should be a person with suitable authority, organisational and technical skills, and have a strong understanding of information security controls and requirements. The Incident Response Lead is responsible for:

  • Mobilising the IRT
  • Opening the Incident Report
  • Notifying management of the incident, and providing them with regular updates
  • Ensuring decisions are made and recorded
  • Managing the IRT to conclusion
  • Ensuring any lessons learned are recorded to the Incident Report, and that the incident is formally closed
Incident Response Coordinator The Incident Response Coordinator assists the Incident Response Lead in coordinating communications and recording information during the incident. The Incident Response Coordinator should be a person with good communication and organisational skills. The Incident Response Coordinator is responsible for:

  • Minuting IRT meetings
  • Recording required information in the Incident Report as directed by the Incident Response Lead
  • Maintaining records of any supporting documentation and their locations
  • Contacting and briefing relevant resources such as external stakeholders, authorities, suppliers, and staff, as directed by the Incident Response Lead
  • Monitoring contact from the media or other external third-parties and ensuring they are redirected to staff responsible for public communications
First Responder The member of staff to first be alerted to the potential security incident. This may be any incident responder, but will typically be a member of IT. The first responder is responsible for:

  • Escalating the incident to the Incident Response Lead
  • Gathering information from the incident reporter
  • Attending the site of the incident, where possible and necessary
  • Ensuring that potential evidence is handled in line with section 1.5.1 of this procedure
  • Performing initial containment steps, if possible
Technology Lead The Technology Lead provides technical guidance and information about the potentially impacted information systems, and the current continuity plans for these. The Technology Lead should be a person with suitable authority and expertise in the operations team, and should also be able to facilitate emergency access to systems and technology resources, should this become necessary during the incident. The Technology Lead would typically be the Operations Director or COO.
Information Security Lead The Information Security Lead provides guidance and information regarding our businesses requirements for information security, and assists with identifying potential risks, and remediation activities. The Information Security Lead would typically be the ISMS Manager, but may also be a Security Officer or CISO.
Data Protection Lead The Data Protection Lead provides guidance and information regarding our regulatory requirements for reporting potential personal data breaches. The Data Protection Lead would typically be the DPM, but may also be a legal advisor with expertise in data privacy law.
HR Lead The HR Lead provides guidance and information regarding safety and disciplinary matters. The HR Lead should be a person with suitable authority in the HR department, and should have expert knowledge of staff health, safety, and contractual requirements.
Facilities Lead The Facilities Lead manages the physical security of our offices, and may be required to provide secure areas for operation of the IRT and storage of evidence. The Facilities Lead may also need to advise on physical security and access requirements should the incident involve physical compromise of our offices. The Facilities Lead should be a person with the appropriate levels of authority in their area so that emergency access is facilitated, where required.
Legal Lead The Legal Lead provides guidance and information on legal and regulatory matters to ensure we remain compliant. The Legal Lead may also provide key advise, such as whether legal action may need to be taken. The Legal Lead should be a person who is qualified in their area.