The purpose of this policy is to provide guidelines to manage security incidents that threaten the confidentiality, integrity or availability of information assets.

The policy applies to all employees, consultants and contractors of the {{organization.name}}. This policy is also applicable to all types of incidents (including but not limited to ones defined in this policy) related to information assets such as IT systems/services and related support systems of {{organization.name}}.

Information security event: Any occurrence related to information assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security.

Information security incident: Any event that threatens the confidentiality, integrity, or availability of organization systems, applications, data, or networks. Examples of organization systems include, but are not limited to:

• Server Instances

• End-User Devices (desktops/laptops)

• Mobile devices

• Network equipment

Examples of security incidents include, but aren't limited to:

• Natural Disaster

• Social Unrest

• Radiation Distrurbence

• Physical Damage

• Infrastructure Failure

• Harmful Content

• Executive Succession Required

• Management Succession Reqired

• Staff Succession

• Technical Failure

• Malware

• Technical Attack

• Breach of Rule

• Compromise of Functions

• Comrpomise of Information

There shall be a designated individual responsible for the establishment of information security incident management within the organization i.e overseeing incident management activities including documentation, response, escalation, resolution and analysis of incidents. 

{{organization.name}} should communicate where applicable with its employees, customers and other stakeholders when an incident that impacts them occurs, provide updates during the incident and after the resolution.

As needed, the security incidents would be reported outside of {{organization.name}}, by a designated person nominated by senior management. Users shall not report to or discuss incidents with other users or external persons as this may affect the company’s reputation or hinder the investigation.

Intrusion attempts, security breaches, theft or loss of hardware, suspicion of an incident or other security related incidents perpetrated against the organization must be reported to the incident management team (See Appendix 1 for details). All known vulnerabilities - in addition to all suspected or known violations must be communicated in a timely manner.

The post-incident analysis must take place, as necessary, to identify the source of the incident.

All critical servers should be monitored to ensure that users only perform authorized actions and processes. Aspects to be monitored as relevant are audit trails, which record exceptions and other relevant events. Audit trails shall be kept for a defined period to assist in investigations and ongoing access-control monitoring.

Accurate computer system clocks are essential to ensure the accuracy of audit logs, which may be needed for investigations or as evidence in legal or disciplinary cases.

Learnings from incidents shall be incorporated into the {{organization.name}}’s the risk assessment process for continual improvements.

Any breach of information security policies must be reported as soon as possible.

Users should immediately report all incidents pertaining to information security with the below information at a minimum:

• Incident and detection date/time.

• Screen shots, information, or steps to replicate the issue and any information helpful in validating the incident.

• Contextual information helpful in understanding the events.

• Insight on who is it affecting or what systems are affected? Identify specifically the systems and customers involved.

The established Cyber Incident Response (CIR) Procedures determine the initial steps including who should be informed and whether an incident needs to be “escalated”.

Representatives looking into security breaches will be responsible for updating, amending and modifying the status of incidents. The root cause of the incident must be analyzed for taking necessary steps to prevent a recurrence.