When an information security incident is identified or detected, users must notify their immediate manager within 24 hours. The manager must immediately notify the ISM on call for proper response. The following information must be included as part of the notification:
Description of the incident
Date, time, and location of the incident
Person who discovered the incident
How the incident was discovered
Known evidence of the incident
Affected system(s)
Within 48 hours of the incident being reported, the ISM shall conduct a preliminary investigation and risk assessment to review and confirm the details of the incident. If the incident is confirmed, the ISM must assess the impact to the organization and assign a severity level, which will determine the level of remediation effort required:
High: the incident is potentially catastrophic to the organization and/or disrupts the organization’s day-to-day operations; a violation of legal, regulatory or contractual requirements is likely.
Medium: the incident will cause harm to one or more business units within the organization and/or will cause delays to a business unit’s activities.
Low: the incident is a clear violation of organizational security policy, but will not substantively impact the business.
The ISM, in consultation with management sponsors, shall determine appropriate incident response activities in order to contain and resolve incidents.
The ISM must take all necessary steps to preserve forensic evidence (e.g. log information, files, images) for further investigation to determine if any malicious activity has taken place. All such information must be preserved and provided to law enforcement if the incident is determined to be malicious.
If the incident is deemed as High or Medium, the ISM must work with the VP Brand/Creative, General Counsel, and HR Manager to create and execute a communications plan that communicates the incident to users, the public, and others affected.
The ISM must take all necessary steps to resolve the incident and recover information systems, data, and connectivity. All technical steps taken during an incident must be documented in the organization’s incident log, and must contain the following:
Description of the incident
Incident severity level
Root cause (e.g. source address, website malware, vulnerability)
Evidence
Mitigations applied (e.g. patch, re-image)
Status (open, closed, archived)
Disclosures (parties to which the details of this incident were disclosed to, such as customers, vendors, law enforcement, etc.)
After an incident has been resolved, the ISM must conduct a post mortem that includes root cause analysis and documentation any lessons learned.
Depending on the severity of the incident, the Chief Executive Officer (CEO) may elect to contact external authorities, including but not limited to law enforcement, private investigation firms, and government organizations as part of the response to the incident.
The ISM must notify all users of the incident, conduct additional training if necessary, and present any lessons learned to prevent future occurrences. Where necessary, the HR Manager must take disciplinary action if a user’s activity is deemed as malicious.