Security Incident Response Policy

Overview

InContext Solutions is dedicated to effectively managing information security incidents to minimize their impact on the confidentiality, integrity, and availability of our systems, applications, and data. Our approach aims to limit any negative consequences for both the organization and its customers while enabling us to restore operations promptly following an incident.

Timely communication of serious information security incidents is crucial, especially if they could disrupt critical business processes. Engaging appropriate internal and customer stakeholders immediately ensures informed decision-making and clear communication.

While it may not be possible to prevent all information security incidents, establishing proper procedures for detection, reporting, and response, alongside ongoing education and awareness, can significantly reduce the frequency and severity of incidents and their associated consequences.

Goals

• Mitigate Impact: Reduce the impact of information technology (IT) security incidents on operations.
• Identify Sources: Identify the sources and causes of incidents to help prevent future occurrences.
• Preserve Information: Protect, preserve, and make usable all information related to incidents for necessary forensic analysis and notification.
• Awareness of Responsibilities: Ensure that all involved parties understand their responsibilities in handling IT security incidents.
• Protect Reputation: Safeguard the reputation of InContext Solutions by managing incidents effectively.

Definitions

• Information Security Incident: A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, modification, or destruction of information, interference with IT operations, or significant violations of responsible use policies.

• Serious Incident: An incident that may pose a substantial threat to InContext Solutions' resources, personnel, customers, or services. This includes cases that involve:

  • Potential unauthorized access to sensitive customer information.
  • Legal implications, such as criminal activity or potential litigation.
  • Significant disruption to services or widespread issues that could attract public interest or damage reputation.

Scope

This policy applies to all employees of InContext Solutions, as well as third-party vendors who collect, process, share, or maintain sensitive data, whether managed internally or externally. It also covers personally owned devices used by InContext employees that access or store sensitive institutional data.

Policy

1. Incident Reporting

   • All employees must report information security incidents to the Security Incident Response Team (SIRT).
   • Any event fulfilling the definition of a serious incident must be escalated to the SIRT.

2. Timely Reporting

   • Incident reporting should occur within the timeframes specified by clients' contractual obligations.

3. Criminal Incidents

   • Any incidents that are suspected to involve criminal activity must be reported to the SIRT simultaneously with this policy's reporting procedures.

4. Centralized Reporting

   • All security incident reports must follow the established phases outlined in this policy, ensuring proper documentation and an organized response.

5. Privacy and Confidentiality

   • Information related to incidents is classified as sensitive. All staff involved in incident handling must maintain the confidentiality of sensitive information. Data retained for investigation purposes will exclude unnecessary sensitive information.

Incident Response Phases

1. Identification Phase

   • Employees must report suspected and known incidents or signs of potential security breaches through various channels (e.g., direct report to management, email, phone, secure chat, or anonymous reporting).
   • The individual receiving the report will document the details using an Incident Identification Form and notify the Security Officer.

2. Containment Phase

   • The IT department will take immediate actions to contain the security incident. This includes reviewing collected information, securing the network perimeter, and taking steps to protect evidence for forensic analysis.
   • Actions may involve securely connecting to the affected system, retrieving volatile data, backing up the system if appropriate, and documenting all actions taken.

3. Eradication Phase

   • The SIRT will work to identify the cause of the incident and take corrective measures. This may include strengthening security defenses, remediating vulnerabilities, and performing detailed assessments to ensure all weaknesses are addressed.
   • Documentation of remediation efforts is essential to track the steps taken and lessons learned.

4. Recovery Phase

   • Efforts will be made to restore affected systems to their intended operational state. This includes validating proper functionality and potentially involving the business unit for confirmations.
   • Once the system is operational, documentation of the recovery process will be updated accordingly.

5. Follow-Up Phase

   • A review meeting will be held to discuss the incident, evaluate the response and effectiveness, and identify improved practices. A "lessons learned" document will be created and attached to the completed Security Incident Report (SIR) Form.
   • Recommendations for improvements will be communicated to senior management and implemented with appropriate resource allocation.

Periodic Evaluation

• The Security Incident Response procedures will be reviewed periodically to assess effectiveness and incorporate improvements.
• Training will be provided to personnel expected to respond to incidents, emphasizing InContext Solutions' expectations for security responsibility.

Security Incident Response Team (SIRT)

The Security Incident Response Team consists of individuals designated to manage security incidents, including:

• Chief Technical Officer
• Head of People/Talent Management
• Senior Management
• VP of Engineering / Engineering Lead(s)
• Network Administrator/System Administrator

Policy Compliance

• Compliance Measurement

  • The InfoSec Team will verify compliance with this policy through various methods, including audits, incident feedback, and performance evaluations.

• Exceptions

  • Any exceptions to this policy must be approved in advance by the InfoSec Team.

• Non-Compliance

  • Employees found to have violated this policy may face disciplinary action, up to and including termination of employment.

Regulatory Notification Requirements

Related Standards, Policies, and Processes

• Refer to the InContext Solutions Data Classification and Access Control Policy.
• Refer to the Data Protection Policy for GDPR breach notification obligations.

Revision History