The purpose of this policy is to provide guidelines to manage security incidents that threaten the confidentiality, integrity or availability of information assets.

The policy applies to all employees, consultants and contractors of the {{organization.name}}. This policy is also applicable to all types of incidents (including but not limited to ones defined in this policy) related to information assets such as IT systems/services and related support systems of {{organization.name}}.

Information security event: Any occurrence related to information assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security.

Information security incident: Any event that threatens the confidentiality, integrity, or availability of organization systems, applications, data, or networks. Examples of organization systems include, but are not limited to:

• Servers

• Desktop computers

• Laptop computers

• Workstations

• Mobile devices

• Network equipment

Examples of security incidents include, but aren't limited to:

• Unauthorized access

• Potential violation of {{organization.name}} approved policies 

• Potential data and privacy breach

• Intentionally targeted but unsuccessful unauthorized access

• Accidental disclosure of confidential data

• Infection by malware

• Denial-of-Service (DoS) attack

• Theft or loss of an organization system or asset

• The theft or physical loss of computer equipment 

• Loss or theft of tablets, smartphones or other mobile devices

• A server known to have sensitive data is accessed or otherwise compromised by an unauthorized party

• A firewall accessed by an unauthorized entity

• A DDoS (Distributed Denial of Service) attack

• The act of violating an explicit or implied security policy

• A virus or worm uses open file shares to infect from one to hundreds of desktop computers

• An attacker runs an exploit tool to gain access to a server's password file

• Any event that affects the availability of our product or service

• Any event that compromises the contractual commitments to our clients

• Failure of information security controls with a likelihood of disrupting business operations

There shall be a designated individual responsible for the establishment of information security incident management within the organization i.e overseeing incident management activities including documentation, response, escalation, resolution and analysis of incidents. 

{{organization.name}} should communicate where applicable with its employees, customers and other stakeholders when an incident that impacts them occurs, provide updates during the incident and after the resolution.

As needed, the security incidents would be reported outside of {{organization.name}}, by a designated person nominated by senior management. Users shall not report to or discuss incidents with other users or external persons as this may affect the company’s reputation or hinder the investigation.

Intrusion attempts, security breaches, theft or loss of hardware, suspicion of an incident or other security related incidents perpetrated against the organization must be reported to the incident management team (See Appendix 1 for details). All known vulnerabilities - in addition to all suspected or known violations must be communicated in a timely manner.

The post-incident analysis must take place, as necessary, to identify the source of the incident.

All critical servers should be monitored to ensure that users only perform authorized actions and processes. Aspects to be monitored as relevant are audit trails, which record exceptions and other relevant events. Audit trails shall be kept for a defined period to assist in investigations and ongoing access-control monitoring.

Accurate computer system clocks are essential to ensure the accuracy of audit logs, which may be needed for investigations or as evidence in legal or disciplinary cases.

Learnings from incidents shall be incorporated into the {{organization.name}}’s the risk assessment process for continual improvements.

Any breach of information security policies must be reported as soon as possible.

Users should immediately report all incidents pertaining to information security with the below information at a minimum:

• Incident Date/Time

• Type of Incident

• Description/ Incident details

• Incident Location

• Contact Details

The designated individual for handling security incidents will decide as to whether an incident needs to be “handed” over and dealt with by departmental representatives, where appropriate, or whether the incident needs to be escalated to senior management.

Representatives looking into security breaches will be responsible for updating, amending and modifying the status of incidents. The root cause of the incident must be analyzed for taking necessary steps to prevent a recurrence.