Your browser does not support the Canvas
Internal Incident Response Guidelines

Internal Incident Response Guidelines

  1. Incident Response Phases: The basic incident process encompasses six phases: preparation,detection, containment, investigation, remediation and recovery. The dynamic relationship between those phases is highlighted in Figure 1. The DPO’s (or equivalent persons) overall incident response process includes detection, containment, investigation, remediation and recovery, documented in specific procedures it maintains.

    1.1 Preparation : Preparation includes those activities that enable the DPO to respond to an incident: policies, tools, procedures, effective governance and communication plans. Preparation also implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post- mortem analyses from prior incidents should form the basis for continuous improvement of this stage.


    1.2 Detection: Detection is the discovery of the event with security tools or notification by an inside or outside party about a suspected incident. This phase includes the declaration and initial classification of the incident, as well as any initial notifications required by law or contract.

    1.3 Containment: Containment is the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established. This phase includes sub-procedures for seizure and evidence handling, escalation, and communication.

    1.4 Investigation:  Investigation is the phase where DPO determines the priority, scope, risk, and root cause of the incident.

    1.5 Remediation:  Remediation is the post-incident repair of affected systems, communication and instruction to affected parties, and analysis that confirms the threat has been contained. The determination of whether there are regulatory requirements for reporting the incident (and to which outside parties) will be made at this stage in cooperation with any external regulator. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.

    1.6 Recovery:  Recovery is the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of “lessons learned” into future response activities and training.

  2. Guidelines for the Incident Response Process: In the process of responding to an incident, many questions arise, and problems are encountered, any of which may be different for each incident. This section provides guidelines for addressing common issues.  The Incident Response Coordinator and Data Protection Officer should be consulted for questions and incident types not covered by these guidelines.

    2.1 Insider Threats: In the case that a particular Incident Response Handler is a person of interest in an incident, the Incident Response Coordinator will assign other Incident Response Handlers to the incident.In the case that the Incident Response Coordinator is a person of interest in an incident, the Chief Information Security Officer or equivalent person in the organisation will act in their stead or appoint a designee to act on their behalf.In the case that the Chief Information Security Officer is a person of interest in an incident, the Data Protection Officer will act in their stead or appoint a designee to act on their behalf.

    2.2 Interactions with the ICO:  All communications with the ICO are made after consulting the DPO.  The DPO will determine their information requirements and shares the minimum necessary information as required for incident response.

    2.3 Communications Plan:  All public communications about an incident or incident response to external parties outside of the business are made in consultation with the Board and Media Relations.  Private communications with other affected or interested parties contain the minimum information necessary.  The minimum information necessary to share for a particular incident is determined by the Incident Response Coordinator in consultation the DPO.

    2.4 Documentation, Tracking and Reporting:  All incident response activities will be documented to include artifacts obtained using methods consistent with chain of custody and confidentiality requirements. Incidents will be prioritized and ranked according to their potential risk.

    Incidents will be reviewed post-mortem to assess whether the investigational process was successful and effective. Subsequent adjustments may be made to methods and procedures used by the DPO and by other participants to improve the incident response process.

    Artifacts obtained during the course of an investigation may be deleted after the conclusion of the investigation and post-mortem analysis unless otherwise directed by the DPO.

    2.5 Escalation:  At any time during the incident response process, the Incident Response Coordinator and the DPO  may be called upon to escalate any issue regarding the process or incident. The Incident Response Coordinator in consultation with the DPO will determine if and when an incident should be escalated to external authorities.

 

Version Control

Title Access Management Policy
Description Employee and Worker Access Management Policy
Created By Xapads Media Pvt. Ltd
5th Floor, Windsor IT Park, Tower B, Plot No, A1.
Date Created 14/09/2023
Maintained By Xapads Media