Your browser does not support the Canvas
Incident Management Policy

Document Information

Document Reference: ISO-Policy-13

Version: v1

  1. Policy Statement: To meet the enterprise business objectives and ensure acceptable use of its information systems and networks, XX shall adopt and follow well-defined and time-tested policies and procedures, follow guidelines to ensure the secure management of data and devices and to protect sensitive or personal information from intentional or accidental exposure or misuse.

    XX is committed to managing its legal and contractual compliance obligations in a proactive, ongoing, and responsible manner. It is committed to not only identifying the legislation which it is obliged to comply with but also measuring the levels of compliance in the organisation.

    The policy and respective procedures, guidelines, and forms shall be available to the MD, Senior Leadership, managers and employees and workers of XX.

  2. Purpose: The purpose of this policy is to ensure personal information and confidential information are protected from unauthorised use and disclosure. This policy helps to facilitate the identification of information to support routine disclosure and active dissemination of information. It also helps to protect the intellectual property of XX. The purpose of this policy is to establish management direction and high-level objectives for change management and control. This policy will ensure the implementation of change management and control strategies to mitigate associated risks such as:
    • i. Information being corrupted and/or destroyed;
      ii. Computer performance being disrupted and/or degraded;
      iii. Productivity losses being incurred; and
      iv. Exposure to reputation risk.
  3. Scope:
    • 3.1 People: This Policy applies to all XX employees who have access to XX Assets both physical and non-physical including data. This includes but is not limited to permanent employees, fixed-term contract employees, agency staff, contractors and third parties authorised to process information on XX’s behalf.
    • 3.2 IT Assets: The policy is applicable to all Hardware assets, Software assets, Network assets, and Utilities. Equipment owned by third parties, but in the custody of XX, will also be covered under the scope.
    • 3.3 Documentation: The documentation shall consist of this agreed Policy, any accompanying guidelines, and processes & procedures required by the Business.
    • 3.4 Document Control: The Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.
    • 3.5 Records: Records being generated as part of the Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
    • 3.6 Distribution and Maintenance: The Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CCO and system administrators.
  4. Intended Audience and Accountability: The intended audience of this document is all XX employees, consultants and sub-contractor. It is the personal responsibility of each employee, consultant and sub-contractor to adhere fully with its requirements. Directors, Heads of Departments, Managers and Team Leaders are responsible for implementing this policy in full within their respective departments and the organisation as a whole and, ensuring appropriate compliance by those under their direction / or supervision.
  5. Privacy: This Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
  6. Responsibility: This Policy shall be implemented by the Board / designated personnel and Human Resources / Operations Manager. XX shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for complying with this and all other applicable Policies in full and to report any security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of XX.
  7. Compliance Policy Framework: The organisation shall explicitly define and document its approach to meet all legal, regulatory, and contractual requirements. Issues of data protection, restrictions on the use of specific technology, compliance with security policies and standards must be defined and documented. Legal advice shall be sought, and all above-mentioned documents shall be kept up to date.
      • 7.1 The organisational management shall ensure that:
        • i. Incidents are detected as soon as possible and properly reported
        • ii. Incidents are handled by appropriate authorized personnel with ‘skilled’ backup as required
        • iii. Incidents are properly recorded and documented
        • iv. All evidence is gathered, recorded and maintained in the Security Incident Reporting form that will withstand internal and external scrutiny
        • v. The full extent and implications relating to an incident are understood
        • vi. Incidents are dealt with in a timely manner and service(s) restored as soon as possible
        • vii. Similar incidents will not recur
        • viii. Any weaknesses in procedures or policies are identified and addressed
        • ix. The risk to XX’s reputation through negative exposure is minimised.
        • x. All incidents shall be analysed and reported to the designated officer(s)
        • xi. Learning from the incidents are recorded
    The policy shall apply throughout the organisation, including information resources, data stored and processed on those systems, data communication and transmission media, and personnel who use information resources.
    • 7.2 The Organisation shall develop: maintain and implement an incident management and response plan that addresses information technology security incidents. The following paragraphs specify the incident management plan requirements. These requirements shall be in compliance with relevant State and policies and standards.
      • i. Incident Management Training: This shall provide incident management training to the Divisions/Offices on how to identify and report security incidents.
      • ii. Identifying and Prioritising Types of Incidents: This will develop and maintain guidelines for identifying and prioritising security incidents. XX shall evaluate the potential for the occurrence of certain types of incidents. All security incidents shall be classified by severity level and type. The following five event severity levels as defined in the Incident Response Standard (ITS) shall be used for classification purposes. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, social engineering and other.
      • iii. Incident Monitoring: The CISO / equivalent person shall develop and maintain guidelines on how to monitor for security incidents. Management or responsible persons or their affiliated staff designated by agreement or assignment, as part of their risk management program, shall continuously monitor for security incidents (both physical and IT related incidents) according to the guidelines listed above.
      • iv. Incident Detection: XX shall develop and maintain enterprise-wide procedures for collecting, analysing and reporting data. The integrity of all data relating to criminal acts must be preserved as possible evidence and will be collected using generally accepted forensic procedures. The forensic procedures to be followed will be developed and disseminated by the CISO or equivalent.
      • v. Incident Reporting: The CISO or equivalent shall define the basic procedure to be followed for reporting incidents. The procedure shall be expanded upon by the Departments as necessary to include the internal communications and escalation procedures that will be used. Security incidents classified as level 3, 4, or 5 shall be reported to the CISO and the relevant information security official (where appropriate and required) within a period of 24 hours from the time the incident was discovered. The CISO is responsible for reporting the incidents to the Senior Leadership Team / Board and Compliance within 24 hours of receiving the report. The Operations Manager will be responsible for letting appropriate departmental staff know about the issue. An incident reporting template is Available with the CISO and IT Manager. Reporting of security instances classified as level 2 or greater should be reported, at a minimum, to the senior leadership team with specific procedures that may require all levels of security incidents to be reported to the CISO. If there is a question regarding classification level, the division/office security official should consult with the CISO.
      • vi. Security Incident Response Team (SIRT): The CISO shall establish and utilise an SIRT. The CISO will work with the Departmental Management to develop a cross-functional incident response team that will handle a variety of incidents. The roles and responsibilities of the team members will be clearly defined. The SIRT shall be adequately staffed and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within a division/office, the SIRT may include outsourced vendors, internal and external entities, as well as other key facility/agency personnel.
      • vii. Organisation Protocols: Security incidents may occur across network boundaries. The CISO shall define the protocols for handling these incidents and the contacts between Divisions/Offices, state agencies and outsourced entities.
      • viii. Impact Assessment: The CISO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist management in deploying the proper risk management strategy.
      • ix. Incident Handling and Escalation Procedures: The CISO shall develop and maintain the primary procedures for handling the containment, eradication and recovery aspects of incidents and the guidelines for development of an escalation procedure. Departmental managers shall develop escalation procedures that are tailored to their individual circumstances.
      • x. Documentation: All security incidents shall be thoroughly documented by the Business with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The CISO may be called on to assist in the documentation process.
      • xi. Record Retention: Business shall maintain the incident logs and corresponding documentation for a minimum of one year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
      • xii. Post-Incident Analysis: The post-mortem analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the CISO and the impacted division or office, with assistance of their affiliated staff designated by agreement or assignment, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident.
      • xiii. Emergency Planning: If an incident occurs that impacts the safety of citizens, personnel, facilities or results in a situation where agency services are interrupted for an extended period of time, the incident may be declared an emergency. XX shall work with the Disaster Response Team to provide guidelines regarding the criteria for identifying an emergency and notification procedures. The Divisions/Offices shall develop the appropriate procedures for identifying and declaring emergencies using the established Business Continuity and Disaster Recovery Policy.
    Incident Reporting Form for breaches of security or confidentiality Form Number: Comments
    1 Details of security or confidentiality incident  
    2 Place of discovery  
    3 Who discovered  
    4 Date of discovery  
    5 Action taken by discoverer  
    6 Reported to  
    7 Date of Report  
    8 Seriousness/classification of incident  
    9 Date reported to Head of Information Security / SIRO  
    10 Action taken by Head of Information Security ? SIRO  
    11 Follow-up check undertaken by  
    12 Date of Follow-up  
  8. Enforcement: Compliance with this Policy is mandatory and non-compliance with this or any other Policy may result in disciplinary or where appropriate criminal proceedings against employees who are wilfully negligent (this may include their line managers). This is in line with Business HR Policies, regulatory and legal compliance.
    If compliance is not possible an “Exception” must be raised and approved in line with the requirements of and procedures of the Business.
  9. Non-Compliance: Failure to comply with this policy may lead to a lack of clarity over job role or expected standards of performance and behaviour, resulting in reduced effectiveness or efficiency, underperformance, and putting service delivery at risk.
    Any member of staff refusing to observe the policy will be liable to disciplinary action in accordance with disciplinary policies, up to and including dismissal.
  10. Implementation of the Policy: Overall responsibility for policy implementation and review rests with the Operations and HR Management team.
    However, all employees are required to adhere to and support the implementation of the policy. The Operations Manager will inform all existing employees about this policy and their role in the implementation of the policy. They will also give all new employees notice of the policy on induction to the Business.
    This policy will be implemented through the development and maintenance of procedures for appraisals and one-to-one meetings, using template forms, and guidance given to both managers and employees on the process.
  11. Policy review : All policies will be reviewed when there are changes in employment law that are relevant, where there is a change in the business need or when feedback from HR, line managers or Trade Unions suggest that the policy is either out of date or unfit for purpose.
  12. Ownership and Revision: This policy statement is owned by the Board of Directors of the Business who has delegated this task to the designated persons in the Business. This policy shall be revised once in two years by a designated person and every time that the Board of Directors of the Business decides to do so.

 

Title Incident Management Policy
Description Policy Document
Created By Xapads Media Pvt. Ltd
5th Floor, Windsor IT Park, Tower B, Plot No, A1.
Date Created 14/09/2023
Maintained By Xapads Media