Security Incident and Problem Management

Table of Contents

1 Incident Management process definition
- 1.1 Roles and Responsibilities
- 1.2 Incident process
2 Notification and Communication
- 2.1 Interaction with Law Enforcement
- 2.2 Customers
- 2.3 Public Media Handling
3 Security Incident Response Team
- 3.1 Roles and Responsibilities
- 3.2 Escalation Procedure

An unplanned interruption to an IT Service or a reduction in the Quality of an IT Service. Failure of a service component (Hardware / Software) that has not yet impacted Service is also an Incident.

Not to be confused with the "incident" used in our Customer Support tool. An incident causing an unplanned interruption to one of our services may cause many "incidents" to be reported by our users and customers, but the Incident Management process is normally not used to solve a single customer issues, but the failure or service degradation of at least one of our services affecting our service delivery.

Incident Management process definition

The Process responsible for managing the life cycle of all Incidents. The primary Objective of Incident Management is to return the IT Service to Users as quickly as possible.

Roles and Responsibilities

Role	Description	Responsibility

Role	Description	Responsibility
Customer	Anyone who reports an error in any of our products, can be from Support, Business or from the customer.	Report incident to IT Operation Manager in writing, and by phone if critical error.
IT Operation Manager/IRT	IT Operation / IRT	Diagnose and classify the scope of the incident, fix and close error if possible. Notify customer when done.
System architect / Lead Developer	System architect for the affected product/system. System architect might need to involve Lead Development if needed.
OSD	Orient Software Development working with the affected system.

Incident process

Notification and Communication

Required notification and communication both internally and with third parties (customers, vendors, law enforcement, etc.) based on legal, regulatory, and contractual requirements must take place in a timely manner.

The Incident Response Manager must report the incident to the senior leadership.

The senior leadership must report any potential breaches and/or incidents involving customer data to the Security Incident Handling Team (SIHT) promptly.

The SIHT is responsible for appropriate notification to:
- Personnel,
- Affected customers and/or partners (within 48 hours, based on Service Level Agreements, based on legal or regularity compliance, whichever is shorter),
- Government bodies or officials as required by applicable statutes and/or regulations.

Interaction with Law Enforcement

Interaction between law enforcement and emergency services personnel should be coordinated by the Incident Response Manager. The Incident Response Manager will manage ongoing communication with authorities. It must be noted however that Law Enforcement’s priorities are eventual prosecution of offenders and not necessarily returning the Company to a functional state. Ensure Legal is consulted and provides direction before and while communicating with Law Enforcement.

Customers

All customers who are affected by the incident must be notified according to applicable contract language, service level agreements (SLAs), applicable statutes and/or regulations.

Communications with customers must be consistent, with the same or similar message delivered to each. The message sent to customers will be created by members of the Communications Team.

Customer service and/or customer account managers will communicate with customers according to the message developed by the Communications Team.

Public Media Handling

All Information concerning an incident is to be considered confidential, and at no time should any information be discussed with anyone outside of Conexus and the dedicated personnel of Data Controller without approval of executive management and our legal counsel.

Public or media statements must be carefully managed to ensure that any investigation/legal proceedings are not jeopardized, and reputational damage is minimized. Decisions concerning the disclosure and method of disclosure of Conexus incident information will only be made by a designated spokesperson assigned by the SIHT, likely someone from the Communications Team or a representative coached by the Communications Team.

Inquiries from media agencies must be directed to the designated SIHT representative. Employees found to be discussing incidents without approval from executive management/legal counsel will be subject to disciplinary action, up to and including termination.

Security Incident Response Team

The SIRT is comprised of IT management and experienced personnel. The role of the SIRT is to promptly handle an incident so that containment, investigation, and recovery can occur quickly. Where third-party services are leveraged, ensure they are engaged as necessary.

Roles and Responsibilities

Roles	Responsibilities
Incident Response Manager (IRM)	The Incident Response Manager oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the organization as well as communicating potential impact to the upper Management. Additionally, they are responsible for understanding the service level agreement (SLAs) in place with third parties, and the role third parties may play in specific response scenarios. Further responsibilities: Act as a liaison for all communications to and from the upper management. Ensure personnel tasked with incident response responsibilities are trained and knowledgeable on how to respond to incidents. Update Plan and procedures as needed based on results from testing, incident response lessons learned, industry developments and best practices. Review the Plan and procedures at least annually. Initiate tests of the Plan and procedures at least annually. Ensure team activities comply with legal and industry requirements for incident response procedures. Be aware of contact mechanisms, and when to include providers.
Incident Response Team Members	The Incident Response Manager is supported by a team of technical staff that work directly with the affected information systems to research the time, location, and details of an incident. Team members are typically comprised of subject matter experts (SMEs), senior level IT staff, third parties, outsourced security or forensic partners. Further responsibilities: Assist in incident response as requested. SIRT responsibilities should take priority over normal duties. Understand incident response plan and procedures to appropriately respond to an incident. Continue to develop skills for incident response management. Ensure tools are properly configured and managed to alert on security incidents/events. Analyze network traffic for signs of denial of service, distributed denial of service, or other external attacks. Review log files of critical systems for unusual activity. Monitor business applications and services for signs of attack. Collect pertinent information regarding incidents at the request of the Incident Response Manager. Consult with qualified information security staff for advice when needed. Ensure evidence gathering, chain of custody and preservation is appropriate. Participate in tests of the incident response plan and procedures. Be knowledgeable of service level agreements with service providers in relation to incident response.
Security Incident Handling Team (SIHT)	Consists of legal experts, risk managers, and other department managers that may be consulted or notified during incident response. Advise on incident response activities relevant to their area of expertise. Maintain a general understanding of the Plan and policies of the organization. Ensure incident response activities are in accordance with legal, contractual, and regulatory requirements. Participate in tests of the incident response plan and procedures. Responsible for internal and external communications pertaining to security incidents.

Escalation Procedure

The escalation procedure shall follow the BIL classification.

In the case of a suspected security incident the Product team shall be alerted as soon as possible and no later than 20 minutes after the incident is discovered. The product team shall verify and classify the incident with as much information as possible. If the incident is verified as a security incident and receives a classification of BIL1 or 2, it shall escalate to SIRT within 60 minutes from discovery. This initiates a full SIRT with regular reporting and engagement to SIHT every second hour. In the case of a BIL3 classification the product team shall handle the resolution internally with regular situation report to SIHT every second hour. SIHT reports to the board of directors (BOD) in accordance with its governance.