Security Breach Incident Response procedure
In the event of any kind of unauthorised access to or exposure of an element of the services, as a result of which the confidentiality, integrity or availability of the data processed by Tradecloud or its Customers with the services is or may be breached (a Security Breach), Tradecloud will act according to this Incident Response Procedure.
This incident response procedure establishes the recommended organization, actions, and procedures needed to
- Recognize and respond to an incident;
- Assess the situation quickly and effectively;
- Notify the appropriate individuals and organizations about the incident;
- Organize the company’s response activities, including activating a command center;
- Escalate the company’s response efforts based on the severity of the incident; and
- Support the business recovery efforts being made in the aftermath of the incident.
Tradecloud has established an incident response team. Consisting of the following persons:
- Chief Technical Officer
- System Engineer
- Tech Lead
- Chief Executive Officer
- Chief Finance Officer
- The person within the Company who discovers the incident will immediately contact the response team. Starting at the first person listed and if not available immediately the next person on the list through Messaging, Telephone, Email or otherwise.
- In case the Security Breach is discovered by someone outside the Company, the contact details are:
The person contacted within the response team will log:
- The name of the caller.
- Time of the call.
- Contact information about the caller.
- The nature of the incident.
- What equipment or persons were involved?
- Location of equipment or persons involved.
- How the incident was detected.
- When the event was first noticed that supported the idea that the incident occurred.
The response team will assess:
- Is the breach business critical?
- What is the severity of the potential impact?
- Name of system being targeted, along with operating system, IP address, and location.
- IP address and any information about the origin of the attack.
Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy.
- Is the incident real or perceived?
- Is the incident still in progress?
- What data or property is threatened and how critical is it?
- What is the impact on the business should the attack succeed? Minimal, serious, or critical?
- What system or systems are targeted, where are they located physically and on the network?
- Is the incident inside the trusted network?
- Is the response urgent?
- Can the incident be quickly contained?
- Will the response alert the attacker and do we care?
- What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
- Category one – A threat to public safety or life.
- Category two – A threat to sensitive data
- Category three – A threat to computer systems
- Category four – A disruption of services
In the event of a Security Breach, Tradecloud shall immediately (ultimately within twenty four (24) hours from becoming aware of the security breach) inform its Customers and relevant authorities of this. This Notification includes in any event:
- recommended measures for limiting the negative consequences of the security breach;
- the identified and suspected consequences of the security breach on the processing of the Personal Data and
- the measures taken or proposed for remedying those consequences.
Regarding each Security Breach, the Tradecloud shall lend all cooperation to its Customer, including the provision of sufficient information and support in respect of investigations by any regulators:
- to remedy and investigate the breach and prevent future breaches;
- to limit the impact of the breach on the privacy of the data subject or subjects; and/or
- to limit the Customers’ damage as a result of the breach.
- Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
- In the event that team members are not able to stop the breach themselves the use of third party experts is permitted.
- Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.
- Upon management approval, the changes will be implemented.
- Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
- Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
- Make users change passwords if passwords may have been sniffed.
- Be sure the system has been hardened by turning off or uninstalling unused services.
- Be sure the system is fully patched.
- Be sure real time virus protection and intrusion detection is running.
- Be sure the system is logging the correct events and to the proper level.
The following shall be documented:
- How the incident was discovered.
- The category of the incident.
- How the incident occurred, whether through email, firewall, etc.
- Where the attack came from, such as IP addresses and other related information about the attacker.
- What the response plan was.
- What was done in response?
- Whether the response was effective.
- The Team members will make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
- Notify proper external agencies—notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies and contact numbers here.
- Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
Review response and update policies:
- The team will plan and take preventative steps so the intrusion can’t happen again.
- Consider whether an additional policy could have prevented the intrusion.
- Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
- Was the incident response appropriate? How could it be improved?
- Was every appropriate party informed in a timely manner?
- Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
- Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
- Have changes been made to prevent a new and similar infection?
- Should any security policies be updated?
- What lessons have been learned from this experience?