Incident management
Policy Statement
Everperform will ensure that it reacts appropriately to any genuine or suspected security incidents relating to information systems or information within the Everperform network.
Purpose
The aim of this policy is to communicate the response Everperform will take in the case of a serious security incident and outline a list of actions to mitigate any risk.
Scope
This document applies to all Employees of Everperform, contractors or associates who use Everperform Infrastructure, or have access to Customer information or Everperform systems information.
All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of Everperforms systems and the information that they contain.
All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds.
Definition
This policy is to be applied when it becomes clear information systems or data are suspected to be, or are genuinely affected by an adverse event which is likely to lead to a security incident.
The definition of an Information Security Incident is an adverse event that has caused or has the potential to cause damage to an organisation’s assets, reputation and/or persons. This policy is concerned with intrusion, compromise and misuse of information and information systems, and the continuity of critical information systems and processes.
An Information Security Incident includes, but is not restricted to, the following:
The loss or theft of data or information.
The transfer of data or information to those who are not entitled to receive that information.
Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system.
Changes to information or data or system hardware, firmware, or software characteristics without the Everperforms knowledge, instruction, or consent.
Unwanted disruption or denial of service to a system.
The unauthorised use of a system for the processing or storage of data by any person.
Any act or lack of action which directly leads to the distribution of information to unintended recipients with or without intent.
Risks
Everperform recognises that there are risks associated with users accessing and handling information in order to conduct business critical acts.
This policy aims to mitigate the following risks:
To Mitigate the risks associated with day to day operations of the Everperform Application.
To reduce the impact of information security breaches by ensuring incidents are followed up correctly.
To help identify areas for improvement to decrease the risk and impact of future incidents.
Non-compliance with this policy could have a significant effect on the security of the platform and associated customer data, resulting in financial loss and an inability to provide necessary services to our customers.
Procedure for Incident Handling
Incidents and potential weaknesses must be reported at the earliest possible stage to be assessed by the Chief Security Officer (CSO). This enables the CSO to identify when a series of events or weaknesses have escalated to become an incident. It is vital for the CSO to gain as much information as possible from the business users to identify when an incident is occurring.
Reporting Information Security Events or Weaknesses
The following sections detail how users and Everperform employees must report information security events or weaknesses.
Reporting Information Security Events for all Employees
Security events - for example a virus infection - could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must:
Note the symptoms and any error messages on screen.
Disconnect the workstation from the network if an infection is suspected.
Not use any removable media (Memory Stick, External Hard Drives etc.) that may also have been infected.
All suspected security events should be reported immediately to the Chief Security Officer on contact@everperform.com.
The Chief Security Officer will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied:
Contact name and email of the person reporting the incident.
The type of data, information or equipment involved.
Whether the loss of the data puts any person or other data at risk.
Date and time the security incident occurred.
Location of data or equipment affected.
Type and circumstances of the incident.
Reporting Information Security Weaknesses for all Employees
Security weaknesses, for example a software malfunction, must be reported through the same process as security events. Users must not attempt to prove a security weakness as such an action may be considered to be misuse unless directed by the CSO.
Weaknesses reported to application and service providers by employees must also be reported internally to the CSO. The service provider’s response must be monitored and the effectiveness of its action to repair the weakness must be recorded by both CSO and CEO.
Reporting Information Security Events for Everperform Employees
Information security events and weaknesses must be reported to a nominated central point of contact within Everperform as quickly as possible and the incident response and escalation procedure must be followed.
Security events can include:
Uncontrolled system changes.
Access violations – e.g. password sharing.
Breaches of physical security.
Non compliance with policies.
Systems being hacked or manipulated.
Security weaknesses can include:
Inadequate firewall or antivirus protection.
System malfunctions or overloads.
Malfunctions of software applications.
Human errors.
All reported incidents or weaknesses will be assessed and a report issued detailing the information pertaining to the incident. The CSO will work with Product Management and Engineering to rectify the incident.
Incidents must be reported to the Customer Management team should the incident become service affecting with the appropriate stakeholders and any affected parties informed immediately.
Management of Information Security Incidents and Improvements
A consistent approach to dealing with all security events must be maintained across Everperform. The events must be analysed and the CSO must be consulted to establish when security events become escalated to an incident.
All high and medium incidents should be reported to the CSO. All low incidents should be reported to Everperform Support. If users are unsure of incident severity simply contact Everperform Support and if required they will direct a different course of action.
Collection of Evidence
If an incident may require information to be collected for an investigation strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care. The CSO must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence. If in doubt about a situation, for example concerning computer misuse, contact the Everperform Support for advice.
Responsibilities and Procedures
Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The CSO must decide when events are classified as an incident and determine the most appropriate response.
An incident management report must be created and include details of:
Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited.
Plans for limiting or restricting further impact of the incident.
Tactics for containing the incident.
Corrective action to repair and prevent reoccurrence.
Communication from Everperform to those affected.
The report must also include a section referring to the collection of any evidence that might be required for analysis as forensic evidence.
Learning from Information Security Incidents
To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted. The following details must be retained:
Type of incident
Number of Incidents and Severity
Costs incurred during the incidents
The information must be collated and reviewed on a regular basis by both CSO and CEO and any patterns or trends identified. Any changes to the process made as a result of the Post Incident Review must be formally noted.
Policy Compliance
If any user is found to have breached this policy, they may be subject to disciplinary actions. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).