The security incident response policy is to establish controls for detecting and responding to security vulnerabilities and breaches. It covers implementing instructions, definitions, procedures, responsibilities, and performance measures. The policy is applicable to all users of the organization’s information systems, including employees, contractors, and external parties, and it should be easily accessible to them. [FII-SCF-007-MON-02.1]

• The Information Security Team (ISM) must be notified of any system vulnerability, incident, or event that may indicate a possible incident. All users should report these incidents as quickly as possible, but no later than 24 hours, by sending an email message to: PCII[nqspSecurityTeamEmail] with the incident details.

• Users must receive training on the procedures for reporting information security incidents or discovered vulnerabilities. They are responsible for reporting such incidents, and failure to do so will result in considering it a security violation. The Human Resources (HR) Manager will be notified for disciplinary action.

• Preserve all information and artifacts related to security incidents, including files, logs, and screen captures, as potential evidence of a crime.

• Respond to all information security incidents following the incident management procedures defined below.

• Conduct an annual review of incident response procedures to ensure currency and make updates as necessary, in order to adequately plan and prepare for incidents.

• Test the incident response procedure at least twice a year to ensure its effectiveness.

• Review the incident response logs monthly to assess the effectiveness of the response. [FII-SCF-007-MON-01.2] , [FII-SCF-007-MON-02]

Procedure For Establishing Incident Response System

• Define the on-call schedule and designate an Information Security Manager (ISM) responsible for managing the incident response procedure during each availability window.

• Establish a notification channel to alert the on-call ISM of a potential security incident. Create a Netspective Communications LLC resource that includes up-to-date contact information for the on-call ISM.

• Appoint management sponsors from the Engineering, Legal, HR, Marketing, and C-Suite teams.

• Distribute the Procedure for Executing Incident Response to all staff and ensure that updated versions are easily accessible in a dedicated Netspective Communications LLC resource.

• Mandate that all staff members complete training for the Procedure for Executing Incident Response at least twice a year.

Procedure For Executing Incident Response

• Users must notify their immediate manager within 24 hours when they identify or detect an information security incident. The manager must promptly inform the on-call ISM for an appropriate response. The notification should include the following information:
  • Incident description
  • Date, time, and location of the incident
  • Person who discovered the incident
  • Method of incident discovery
  • Known evidence of the incident
  • Affected system(s)

• Within 48 hours of reporting the incident, the ISM will conduct a preliminary investigation and risk assessment to verify and confirm incident details. If confirmed, the ISM will assess the impact on the organization and assign a severity level to determine the required remediation effort:

  • High severity: potentially catastrophic to the organization, disrupts day-to-day operations, and likely violates legal, regulatory, or contractual requirements.
  • Medium severity: causes harm to one or more business units, resulting in activity delays.
  • Low severity: clear violation of organizational security policy but does not significantly impact the business.

• The ISM, in consultation with management sponsors, will determine appropriate incident response activities to contain and resolve incidents.

• The ISM must take necessary steps to preserve forensic evidence (e.g., log information, files, images) for further investigation in case of malicious activity. If the incident is deemed malicious, all relevant information must be preserved and provided to law enforcement.

• For incidents classified as High or Medium severity, the ISM, along with the VP Brand/Creative, General Counsel, and HR Manager, will develop and implement a communications plan to inform affected users, the public, and other stakeholders.

• The ISM must take all necessary actions to resolve the incident, recover information systems, data, and connectivity. Technical steps taken during the incident must be documented in the organization’s incident log, including:

  • Incident description
  • Severity level
  • Root cause (e.g., source address, website malware, vulnerability)
  • Evidence
  • Applied mitigations (e.g., patching, re-imaging)
  • Status (open, closed, archived)
  • Disclosures (parties informed about the incident details, such as customers, vendors, law enforcement, etc.)

• After resolving an incident, the ISM must conduct a post-mortem analysis, including root cause analysis and documentation of lessons learned.

• Depending on the incident’s severity, the Chief Executive Officer (CEO) may decide to engage external authorities such as law enforcement, private investigation firms, and government organizations as part of the incident response.

• The ISM must notify all users of the incident, provide additional training if necessary, and share lessons learned to prevent future occurrences. If a user’s activity is determined to be malicious, the HR Manager must take disciplinary action when appropriate.