Incident Management =================== Purpose ------- This document sets the policy by which Authentic Digital Limited “the company” will respond to a breach or unauthorised disclosure of information and the process to follow when a breach occurs. This policy applies to all the company’s employees, suppliers and contractors. Policy ------ The company directors have approved the Incident Management Policy. This policy will be reviewed every year and updated, as applicable, to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. An information security breach can happen for a number of reasons, including: - Loss or theft of information stored either as a hard copy or on equipment such as desktop PCs, laptops, mobile devices - Inadequate access controls in place which allow unauthorised users to access both manual records and electronic systems - Equipment failure - Human error - Unforeseen circumstances such as a fire or flood - Hacking of the IT system by an external third party - Information obtained dishonestly - Corporate fraud A company director will be notified immediately when an information security breach has occurred. The company’s policy of a four point plan of (i) containment & recovery (ii) assessment of on-going risk (iii) notification of breach (iv) evaluation & response will be enacted in the case of any information security breach. Containment and Recovery ^^^^^^^^^^^^^^^^^^^^^^^^ Information security breaches will require an initial response to investigate and contain the situation, but also a recovery plan. As soon as is practicably possible an investigation into the incident will be undertaken to: i. Determine the type of breach. Where it is suspected that a serious intentional breach has been caused by an employee or supplier, their access to company information permissions need to be revoked as soon as practicable. In the event of criminal activity, the police should be notified. ii. What is the classification of the type of information that has been breached/lost? With reference to the company’s risk management policy. iii. Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. iv. Establish whether there is anything we can do to recover any losses and limit the damage the breach may cause. v. Put in place measures to avoid the breach recurring. Assessment of on-going risk ^^^^^^^^^^^^^^^^^^^^^^^^^^^ As the company holds personal information it is important to establish early on the risks and consequences of this information being lost or disclosed. The following points should be taken into consideration: i. What type of Information is involved? Does the information relate to our clients or staff or is it non-personal? ii. What security, if any, was in place? If information has been lost or stolen, were there any measures in place to protect the information such as encryption or password protection? iii. What has happened to the information? If information has been lost or stolen it poses a different risk to information that has been corrupted or damaged. iv. Can the information be restored or re-created? Assess if the situation can be eased by a recovery or partial recovery of lost or corrupted information. v. Which clients are affected by the breach? Whilst any breach is serious, if it affects a large number of clients then the impact on the organisation will be greater. Notification of Breach ^^^^^^^^^^^^^^^^^^^^^^ Notification to individuals of an information security breach should have a clear purpose. Whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints. What needs to be included in a data breach notification: The GDPR [1]_ introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. We will ensure we have robust breach detection, investigation and internal reporting procedures in place. This facilitates decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals. We will keep a record of any personal data breaches, regardless of whether we are required to notify. i. A description of how and when the breach occurred and what data was involved. ii. Details of what steps have already been taken to respond to the risks posed by the breach. iii. Specific and clear advice on the steps those affected can take to protect themselves and also what you are willing to do to help them. iv. Provide a contact point for further information or to ask you questions about what has occurred. Evaluation and Response ^^^^^^^^^^^^^^^^^^^^^^^ The following impact and urgency criteria are used to determine the priority given to an incident: i. Impact Definitions - High - A core service has failed, or is degraded, that will affect clients or users, or significant damage to the company may result from the incident, e.g. loss of revenue, reputation or security. Medium - A non-core service has failed, or is degraded, affecting a few users that may affect clients or users, or significant damage to the company may result from the incident, e.g. loss of revenue, reputation or security. ii. Urgency Definitions – High, critical deadlines are at risk; Medium - there is no immediate deadline. iii. It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of our response to it. A breach may also require a review of policies and management responsibility. Responsibilities ---------------- 1. The designated owner of this policy, Joe Jeffries, has direct responsibility for maintaining and reviewing this policy and providing guidance on its implementation. 2. All managers are directly responsible for implementing this policy within their business areas. 3. It is the responsibility of each employee to adhere to this policy and any applicable laws. Where appropriate compliance will be monitored, failure to comply will be dealt with under the appropriate disciplinary procedure. 4. All third parties who are given access to the organisation’s information systems, whether suppliers, customers or otherwise, must agree to comply with and follow this policy. Review Dates ^^^^^^^^^^^^ 2020-09 move to public docs Footnotes ^^^^^^^^^ .. [1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/