Cyber security incident response policy

Cyber security incident response policy

 

1.Introduction 

Cyber security incidents are a significant risk to D’Light Online Inc. (the "company"). 

Cyber breaches are becoming more common and more expensive to fix.

This policy describes how to recognize a breach, who to report it to and what happens next. Responding as fast as possible is key.

Please read this document and keep it to hand for when it is needed.

2.Who you should contact if you think there's been cyber security incident?

The person primarily responsible for coordinating the company's response to a cyber security incident is Joaquin Honeywell, CEO (the "incident coordinator").

3.What might indicate that there has been a breach?

The following may indicate that a cyber security breach has occurred: 

(a)you have made a mistake, clicked on a link you shouldn’t have, or your device anti-virus software or browser is reporting that malware has been detected;

(b)an inability to access data or devices, or unusual behavior, possibly accompanied by a ransom message;

(c)spikes in network traffic, database requests, or the size of HTML responses (which may be observed by the IT team); and

(d)employees that you know are not present have accessed or edited files.

(e)any unusual activity that does not comport with regular operations or procedure.

4.What do I do if I make a mistake?

If you have made a mistake that may have caused a cyber security breach then the most important thing is time: 

(a)do not attempt to solve the problem by yourself;

(b)you must report the problem to the incident coordinator immediately OR within 20 minutes of it occurring;

(c)you will need to be able to tell them what device, how it is connected to the company's IT systems, and what company data it contains;

(d)if you made a mistake using your own computer or phone, while it is connected to the company's systems, or contains the company's data, you must still contact the incident coordinator for support; and

(e)making a mistake is not system misuse, but failing to report one is.

5.I'm the incident coordinator, who do I notify, what are their roles?

If you notice a cyber security breach indicator, or have made a mistake, contact the incident coordinator. The following people should be notified by the incident coordinator if the breach is confirmed: 

(a)technical incident response team for the Hosting company for the website; 

(b)Contracted cyber Security Company to notify them of breach and launch investigation;

If the cyber security breach includes personal data then the Information Commissioner's Office may need to be informed, typically within 72 hours. Data subjects may also need to be informed.

6.What are the responsibilities of the members of the incident response team?

Technical incident response personnel should establish:

(a)what has happened;

(b)which parts of which systems are affected;

(c)which machines should be disconnected;

(d)what needs to be done to remove any malware; and

(e)what feedback the company need to improve their security in future.

The incident coordinator should establish whether personal data has been compromised, and if so, how much? Notify as required.

The incident coordinator should communicate with insurers to obtain support and ensure that technical teams know what evidence they must collect to document the incident for the claim. The insurer may wish for the police to be informed.

Communications should begin preparing communications to employees, customers and the press about the ongoing incident – a "well handled" breach, in the eyes of customers, will be a well-communicated breach. Communications have to be available as soon as senior management require them and employees need to know not to tweet.

Senior management should collect enough information to make strategic decisions during the incident.

Operations managers for processes impacted by the loss of IT systems should: 

(a)provide information to the technical team about critical systems, so that choices can be made to reduce risk based on the need for availability; and

(b)provide information to senior management to allow them to make strategic decisions.