1. OVERVIEW AND SCOPE
1.1. Overview
This policy and supporting procedures are designed to provide PlusPlus with a documented and formalized Incident Response Policy & Plan that is to be adhered to and utilized throughout the organization at all times. Compliance with the stated policy and supporting procedures helps ensure the safety and security of PlusPlus system resources. Today’s growing list of hardware and software solutions are highly effective at thwarting cybersecurity threats and other malicious attacks – however, security breaches do occur – regardless of one’s readiness and preparedness. Responding immediately and comprehensively to security incidents requires well-documented protocols and practices, such as those outlined herein. The following policies and procedures relating to incident response initiatives strive to ensure the overall confidentiality, integrity, and availability (CIA) of the organization’s platform.
1.2. Purpose
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards, and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well-publicized and made easily available to all personnel whose duties involve data privacy and security protection.
PlusPlus’s intentions for publishing an Incident Response Policy are to focus significant attention on data security and data security breaches, and how PlusPlus’s established culture of openness, trust and integrity should respond to such activity. The PlusPlus is committed to protecting employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
1.3. Scope
The scope of this Policy covers all Confidential & Sensitive Data stored, accessed, or transmitted by our software platform, including its applications, components, infrastructure, and underlying code (together, our products).
Additionally, this Policy applies to all employees, contractors, and third-party suppliers of PlusPlus that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle PlusPlus’s Confidential & Sensitive Data. All employees, contractors, and, as applicable, third-party suppliers are responsible for reading this Policy and complying with its requirements.
2. ROLES AND RESPONSIBILITIES
The following roles and responsibilities are to be developed and subsequently assigned to authorized personnel within PlusPlus regarding incident response practices:
● Risk Committee: Responsibilities include approving and monitoring adherence to this policy.
● Chief Technology Officer (CTO): Responsibilities include providing overall direction, guidance, leadership, and support for the entire incident response platform. The CTO authorizes the execution of the Incident Response Plan and is responsible for reporting any events that are categorized as breach events to the Risk Committee.
● End Users (Employees, Consultants): Responsibilities include adhering to the organization’s incident response policies, procedures, and practices. Additionally, end users are to report and escalate instances of non-compliance to senior authorities,
specifically those by other users. End users – while undertaking day-to-day operations – may also notice issues that could impede the safety and security of PlusPlus system components and are to also report such instances immediately to senior authorities.
● Vendors, Contractors, Other Third-Party Entities: Responsibilities for such individuals and organizations are much like those stated for end-users: adhering to the organization’s incident response policies, procedures, practices, and not undertaking any measure to alter such standards on any such system components. Vendors, contractors, and other third-party entities are required to immediately notify PlusPlus of any policy violations involving client data.
3. INCIDENT / BREACH RESPONSE PLAN AND PROCEDURES 3.1. Incident Identification
Employees must be aware of their responsibilities in detecting security incidents to facilitate the Incident Response Plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day-to-day activities include, but are not limited to:
o Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry).
o Fraud (e.g., Inaccurate information within databases, logs, files, or paper records).
o Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, abnormal errors in system log files or on terminals).
o Security event notifications (e.g., file integrity alerts, intrusion detection alarms, and physical security alarms).
o Critical customer complaints (e.g., Incorrect information showing on their account, any accusations of wrongdoing on behalf of the company).
o Internal operational incidents (e.g., no access to the building, e-mail issues).
All employees, regardless of job responsibilities, should be aware of the potential incident identifiers and whom to notify in these situations. In all cases, every employee should report incidents per the instructions under Reporting and Incident Declaration Procedures, unless they are assigned other activities within the Incident Response Plan.
3.2. Reporting and Incident Declaration Procedures
Once an employee has identified a suspected or real malicious, suspicious, or disruptive event, they should report the event immediately to the Incident Response Team (IRT) by emailing the incident response email. If it is unclear as to whether a
situation should be considered a security incident, the IRT should be contacted to evaluate the situation.
3.2.1. Incident Response Team (IRT)
A documented Incident Response Team (IRT) is to have clear roles and responsibilities for adequately responding to any incident. Preparation is just as important as the response to the incident. Other aspects of preparing for an incident include the necessary steps, processes, and procedures to take once an incident has occurred. This also includes an understanding of what actions are to be taken with respective third parties, if necessary, such as clients, law enforcement agencies, local/federal/state agencies, the media, and any other third parties considered to be within scope.
PlusPlus’s IRT is to consist of the following assigned titles and respective roles and responsibilities for effectively preparing, detecting, responding, containing, and recovering from an incident, while undertaking post-incident activities and awareness:
▪ Chief Technology Officer (CTO): Responsibilities include providing overall direction, guidance, leadership, and support for the organization’s entire incident response platform, while also assisting other applicable personnel in their day-to-day operations. The CTO is to report to other
members of senior management on a regular basis regarding all aspects of the organization’s information systems posture, which includes incident response.
▪ IRT Security Officer: Responsibilities for this individual includes daily operational oversight of all incident response initiative, such as the
following:
▪ Ensuring policies and procedures are kept current and being
adhered to as stated.
▪ Ensuring that any incidents are reported and documented
accordingly.
▪ Tracking and monitoring all activities relating to incidents, from
initial reporting to final resolution and “lessons learned.”
▪ Adequately identifying ongoing training needs of the organization.
▪ IRT Network Engineers and Systems Administrators: Responsibilities for these individuals include actually implementing many of the
operational, technical, and security procedures and related practices for incident response. Because these individuals often serve as the “front
line” of defense, their actions are vitally critical for helping ensure the
safety and security of all enterprise-wide system resources, should a
security incident occur. IRT network engineers and system administrators’ roles and responsibilities include the following:
▪ Receiving incident alerts and making preparations immediately for
responding to such threats.
▪ Responding to threats, such as undertaking all necessary
measures for ensuring the confidentiality, integrity, and availability
(CIA) of critical PlusPlus’s system resources. This generally
includes provisions for isolating and quarantining affected or
suspected systems.
▪ Assessing the severity of incidents and making necessary
technical changes to critical system resources immediately for
protecting other PlusPlus assets.
▪ Restoring systems as needed, along with providing technical
overview for final “lessons learned” analysis.
3.3. Incident Severity Classification
The IRT will first attempt to determine if the security incident justifies a formal incident response.
In cases where a security incident does not require an incident response, the situation will be forwarded to the appropriate area of IT to ensure that all technical support services required are rendered.
The following descriptions should be used to determine the IRT response:
o Level 3: Limited impact or minor disruption to business operations. o Level 2: Important or severe impact. Important disruption of business operations. Data leakage is limited to Confidential or Public information
o Level 1: Negative impact on business reputation, negative client reaction, financial, and liability impacts. A security incident impacting a client must be set to a priority 1. Data leakage includes Sensitive information.
3.4. Incident Response and Containment
Any incident deemed to be a threat to the organization requires a rapid response from authorized personnel, such as the IRT personnel. This rapid response will follow a standard course of action designed to minimize the impact of the incident on the organization’s critical network and system infrastructure.
The following documented response mechanisms serve as best practices for incident response and containment within the organization:
3.4.1. Initial Response
IRT personnel are to assume control formally and to identify the threat and its severity to the organization’s information systems.
3.4.2. Documentation
Documentation is imperative for incident response practices, thus authorized IRT personnel are to open an incident response ticket provided for such measures officially. Because the severity of incidents varies, it is understandable that many times the first and most important task will be to contain the incident immediately and then subsequently complete the applicable form.
3.4.3. Identification
In identifying the threat, IRT personnel is to accurately identify which resources, both internal and external, are at risk and which harmful processes are currently running on resources that have been identified as at risk. A direct line of communication is maintained with external service providers and the IRT team to aid in the identification of threats and the response to them.
3.4.4. Containment and Isolation
IRT personnel are to determine whether the resources at risk (hardware, software, etc.) require physical or logical removal. Resources posing a significant threat to the continuity of the business are to be immediately removed or isolated, either physically or logically. Resources that may require physical or logical removal or isolation may include any PlusPlus owned, operated, or maintained system resources.
When permissible, backups are to be conducted for the affected systems onto new media, as this provides a critical snapshot of the system during its compromised state. This backup, though not advisable for any production restores, can be used for forensic analysis for learning more about how the incident came about.
3.4.5. Evidence Collection and Investigation
Begin putting together a list of items considered as evidence, which may be any number of electronic resources, interviews taken from various individuals, etc. Additionally, avoid tactics that may alert the suspected person or persons responsible for such acts as it may allow them to begin concealing evidence, covering their digital trail – or worse – moving onto other areas within the network. Additional evidence collection and investigative procedures also include the following:
▪ Understanding how the incident occurred and what led to the
compromise.
▪ Reviewing all the necessary documentation.
▪ Interviewing personnel as needed.
▪ Examining any third-party providers and their respective products and services that are utilized within PlusPlus’s network architecture.
▪ If warranted, a third-party resource for assisting in the investigation of the incident may be utilized (this will be done at the management’s
discretion).
3.5. Incident Response
The following actions are typical actions that should be taken by the IRT once an incident has been identified and classified:
3.5.1. Level 3: Contain and Monitor
1. If possible, record the user, MAC address, IP address, and domain of intruder.
2. Utilize approved technology controls to temporarily or permanently block the intruder’s access.
3. Maintain vigilance for future break-in attempts from this user or IP
address.
3.5.2. Level 2: Contain, Monitor and Warn
1. Collect and protect information associated with the intrusion.
2. Utilize approved technology controls to temporarily or permanently block the intruder’s access.
3. Research the origin of the connection.
4. Contact the Internet Service Provider (ISP) and ask for more information regarding the attempt and intruder.
5. Research potential risks related to the intrusion method attempted and re evaluate for higher classification and incident containment, eradication, and recovery as described for Level 3 incident classifications.
6. Upon identification, inform the malicious user of our knowledge of their actions and warn of future recriminations if an attempt is repeated. If an employee is the malicious user, management should work with the CTO to address the Acceptable Use violation appropriately.
3.5.3. Level 1: Contain, Eradicate, Recover and Perform Root Cause Analysis
1. Contain the intrusion and decide what action to take. Consider unplugging or logically disabling the network cables, applying highly restrictive ACLs,
deactivating or isolating the switch port, deactivating the user ID,
terminating the user’s session/change password, etc.
2. Collect and protect information associated with the intrusion via offline methods. In the event that forensic investigation is required, the CTO will work with legal and management to identify appropriate forensic
specialists.
3. Notify management of the situation and maintain notification of progress at each following step.
4. Eliminate the intruder’s means of access and any related vulnerabilities. 5. Research the origin of the connection.
6. Contact the Internet Service Provider (ISP) and ask for more information regarding attempt and intruder, reminding them of their responsibility to
assist in this regard.
7. Research potential risks related to or damage caused by intrusion method used.
8. The CTO will work with legal and management to follow applicable local and federal laws and contact law enforcement as necessary. If data
leakage occurs, the evaluation with legal and management must include
applicable notifications, which must be carried out in the timelines
required based on type of information leaked, location of client(s)
impacted and location where the leak occured.
3.6. Root Cause Analysis and Lessons Learned
Not more than one week following the incident, members of the IRT and all affected parties will meet to review the results of the investigation conducted to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy, or security control can be made more effective or efficient, must be updated accordingly. Upon conclusion of the investigation, systems will be restored to their non-compromised state in accordance with PlusPlus’s configuration standards.
3.7. Plan Testing and Training
At least once a year, a mock incident will be initiated to facilitate testing of the current plan. The exact incident to be tested will be at the discretion of the IRT.
All employees that could have an active role within incident response will be part of the test process.
Training regarding incident response responsibilities must be performed regularly to ensure employee’s readiness for test and actual incidents.
4. POLICY ADMINISTRATION
4.1. Ownership and Review
The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following major changes to PlusPlus’s compliance environment. The Policy Approver retains approving authority over this Policy.
4.2. Monitoring and Enforcement
PlusPlus periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. PlusPlus may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.
Last reviewed on 12/4/2023 by Tomomi Menjo