Security Incident and Problem Management

Table of Contents

1 Incident definition
2 Incident Management process definition
3 Incident organisation
- 3.1 Incident Response Team (IRT)
- 3.2 Incident Handling Team (IHT)
4 IRT - Roles and Responsibilities
- 4.1 Incident Response Manager (IRM)
- 4.2 Incident Handling Team Members (IHT)
5 Notification and Communication
- 5.1 Interaction with Law Enforcement
- 5.2 Customers
- 5.3 Public Media Handling
6 Security Incident Response Team
- 6.1 Roles and Responsibilities
- 6.2 Escalation Procedure

Incident definition

Definition: An incident is an unplanned, disruptive event or failure that affects the software’s performance, functionality, security, availability, or abnormal activity. Incidents often require immediate attention to mitigate their impact.
Nature: Always unplanned and may involve a significant disruption or risk.
Example:
- A critical bug in production that causes an application to crash or stop functioning.
- A security breach in the software, such as a vulnerability being exploited by external parties.
- Server downtime or a system outage that affects end-users.
Focus: The immediate focus of an incident is on fixing the problem (incident resolution), investigating the root cause, and implementing measures to prevent future occurrences (incident management).
Team: The Incident Response Team (IRT)

Incident Management process definition

The Process responsible for managing the life cycle of all Incidents. The primary Objective of Incident Management is to return the IT Service to Users as quickly as possible.

Incident organisation

To see the employees who hold the various roles https://cxschool.atlassian.net/wiki/spaces/GD/pages/57114637

Entity	External System Incidents	Internal System Incidents

Entity	External System Incidents	Internal System Incidents
Incident Response Team (IRT)	IRM	SO
	IT OPM
	SAM
Incident Handling Team (IHT)	Other resources needed to handle the Incident	Other resources needed to handle the Incident

IRT - Roles and Responsibilities

Roles

Responsibilites

Incident Response Manager (IRM)

The Incident Response Manager oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the organization as well as communicating potential impact to the upper Management. Additionally, they are responsible for understanding the service level agreement (SLAs) in place with third parties, and the role third parties may play in specific response scenarios.

Further responsibilities:

Act as a liaison for all communications to and from the upper management.
Ensure personnel tasked with incident response responsibilities are trained and knowledgeable on how to respond to incidents.
Update Plan and procedures as needed based on results from testing, incident response lessons learned, industry developments and best practices.
Review the Plan and procedures at least annually.
Initiate tests of the Plan and procedures at least annually.
Ensure team activities comply with legal and industry requirements for incident response procedures.
Be aware of contact mechanisms, and when to include providers.

Incident Handling Team Members (IHT)

The Incident Response Manager (IRT) is supported by a team of technical staff that work directly with the affected information systems to research the time, location, and details of an incident. Team members are typically comprised of subject matter experts (SMEs), senior level IT staff, third parties, outsourced security or forensic partners.

Further responsibilities:

Assist in incident response as requested. IRT responsibilities should take priority over normal duties.
Understand incident response plan and procedures to appropriately respond to an incident.
Continue to develop skills for incident response management.
Ensure tools are properly configured and managed to alert on security incidents/events.
Analyze network traffic for signs of denial of service, distributed denial of service, or other external attacks.
Review log files of critical systems for unusual activity.
Monitor business applications and services for signs of attack.
Collect pertinent information regarding incidents at the request of the Incident Response Manager.
Consult with qualified information security staff for advice when needed.
Ensure evidence gathering, chain of custody and preservation is appropriate.
Participate in tests of the incident response plan and procedures.
Be knowledgeable of service level agreements with service providers in relation to incident response.

Notification and Communication

Required notification and communication both internally and with third parties (customers, vendors, law enforcement, etc.) based on legal, regulatory, and contractual requirements must take place in a timely manner.

All employees who become aware of or suspect an incident must start filling in the incident form, and notify the IRT team

The IRT is responsible for appropriate notification to:
- Personnel,
- Affected customers and/or partners (within 48 hours, based on Service Level Agreements, based on legal or regularity compliance, whichever is shorter),
- Government bodies or officials as required by applicable statutes and/or regulations.

Interaction with Law Enforcement

Interaction between law enforcement and emergency services personnel should be coordinated by the Incident Response Manager. The Incident Response Manager will manage ongoing communication with authorities. It must be noted however that Law Enforcement’s priorities are eventual prosecution of offenders and not necessarily returning the Company to a functional state. Ensure Legal is consulted and provides direction before and while communicating with Law Enforcement.

Customers

All customers who are affected by the incident must be notified according to applicable contract language, service level agreements (SLAs), applicable statutes and/or regulations.

Communications with customers must be consistent, with the same or similar message delivered to each. The message sent to customers will be created by members of the Communications Team.

Customer service and/or customer account managers will communicate with customers according to the message developed by the Communications Team.

Public Media Handling

All Information concerning an incident is to be considered confidential, and at no time should any information be discussed with anyone outside of Conexus and the dedicated personnel of Data Controller without approval of executive management and our legal counsel.

Public or media statements must be carefully managed to ensure that any investigation/legal proceedings are not jeopardized, and reputational damage is minimized. Decisions concerning the disclosure and method of disclosure of Conexus incident information will only be made by a designated spokesperson assigned by the SIHT, likely someone from the Communications Team or a representative coached by the Communications Team.

Inquiries from media agencies must be directed to the designated SIHT representative. Employees found to be discussing incidents without approval from executive management/legal counsel will be subject to disciplinary action, up to and including termination.

Security Incident Response Team

The SIRT is comprised of IT management and experienced personnel. The role of the SIRT is to promptly handle an incident so that containment, investigation, and recovery can occur quickly. Where third-party services are leveraged, ensure they are engaged as necessary.

Roles and Responsibilities

Roles	Responsibilities
Incident Response Manager (IRM)	The Incident Response Manager oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the organization as well as communicating potential impact to the upper Management. Additionally, they are responsible for understanding the service level agreement (SLAs) in place with third parties, and the role third parties may play in specific response scenarios. Further responsibilities: Act as a liaison for all communications to and from the upper management. Ensure personnel tasked with incident response responsibilities are trained and knowledgeable on how to respond to incidents. Update Plan and procedures as needed based on results from testing, incident response lessons learned, industry developments and best practices. Review the Plan and procedures at least annually. Initiate tests of the Plan and procedures at least annually. Ensure team activities comply with legal and industry requirements for incident response procedures. Be aware of contact mechanisms, and when to include providers.
Incident Response Team Members	The Incident Response Manager is supported by a team of technical staff that work directly with the affected information systems to research the time, location, and details of an incident. Team members are typically comprised of subject matter experts (SMEs), senior level IT staff, third parties, outsourced security or forensic partners. Further responsibilities: Assist in incident response as requested. SIRT responsibilities should take priority over normal duties. Understand incident response plan and procedures to appropriately respond to an incident. Continue to develop skills for incident response management. Ensure tools are properly configured and managed to alert on security incidents/events. Analyze network traffic for signs of denial of service, distributed denial of service, or other external attacks. Review log files of critical systems for unusual activity. Monitor business applications and services for signs of attack. Collect pertinent information regarding incidents at the request of the Incident Response Manager. Consult with qualified information security staff for advice when needed. Ensure evidence gathering, chain of custody and preservation is appropriate. Participate in tests of the incident response plan and procedures. Be knowledgeable of service level agreements with service providers in relation to incident response.
Security Incident Handling Team (SIHT)	Consists of legal experts, risk managers, and other department managers that may be consulted or notified during incident response. Advise on incident response activities relevant to their area of expertise. Maintain a general understanding of the Plan and policies of the organization. Ensure incident response activities are in accordance with legal, contractual, and regulatory requirements. Participate in tests of the incident response plan and procedures. Responsible for internal and external communications pertaining to security incidents.

Escalation Procedure

The escalation procedure shall follow the BIL classification.

In the case of a suspected security incident the Product team shall be alerted as soon as possible and no later than 20 minutes after the incident is discovered. The product team shall verify and classify the incident with as much information as possible. If the incident is verified as a security incident and receives a classification of BIL1 or 2, it shall escalate to SIRT within 60 minutes from discovery. This initiates a full SIRT with regular reporting and engagement to SIHT every second hour. In the case of a BIL3 classification the product team shall handle the resolution internally with regular situation report to SIHT every second hour. SIHT reports to the board of directors (BOD) in accordance with its governance.