Security

Incident response plan

Introduction

  • 21RISK during the course of business might store, process or transmit sensitive data including. This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise.

  • 21RISK has legal responsibilities under all applicable laws and regulations and in respect of its own business to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorized access.

Purpose & Scope

The purpose of this policy is to adequately inform the intended audience the actions to take in the event of an information security incident (also referred to as a ‘data breach’).

Audience

Any 21 Risk employee or contractor discovering or suspecting an information security incident must report it in accordance with this policy.

Roles and responsibilities

Roles Responsibilities
All employees or third parties Be aware of their responsibilities as incident responders or responsibilities regarding notifying incidents appropriately
CEO/Equivalent C-Level Executives Implementing and maintaining incident response mechanisms

Policy statements

  • 21RISK will adopt adequate administrative, technical and physical safeguards necessary to protect sensitive information including personally identifiable information of its employees and customers.
  • Reasonable administrative safeguards may include:
    • Designating one or more employees to coordinate the security program
    • Identifying reasonably foreseeable internal and external risks
    • Assesses the sufficiency of safeguards in place to control the identified risks
    • Training and managing employees in the security program practices and procedures
    • Selecting service providers (including cloud service providers) capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
    • Adjusting the security program in light of business changes or new changes in the technology or security landscape.
  • Reasonable technical safeguards may include:
    • Assessing risks in network, infrastructure and software
    • Assessing risks in information processing, transmission and storage
    • Detecting, preventing and responding to attacks or system failures; and
    • Regularly testing and monitoring the effectiveness of key controls, systems and procedures.
  • Reasonable physical safeguards may include:
    • Assessing risks of information storage and disposal
    • Detecting, preventing and responding to intrusions
    • Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
    • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
  • 21RISK will continuously monitor any applicable laws or regulations throughout the course of its business and will maintain an incident notification criteria document with details of requirements from various regulations.
  • Incident Response Process: The response process, at a detail level, for an incident includes these phases.
  • Preparation phase: The detailed steps and general timing of an incident response are outlined below.
    • Identification: Identify and confirm that the suspected or reported incident has happened and whether malicious activity is still underway.
    • Determine the type, impact, and severity of the incident
    • Take basic and prudent containment steps.
  • Notification phase:
    • Inform or activate the designated Incident Response Team (IRT), based on the severity of the incident impact, and details of the incident to the extent that they are known. Determine the need for Subject Matter Experts (SME) to be involved in the Containment, Eradication, and Recovery processes.
    • 21RISK will notify its major infrastructure and software hosting providers and law enforcement agencies within 24 hours of a security incident.
    • If the incident is confirmed, 21 Risk will inform its customers appropriately within 72 hours.
  • Containment: Take immediate steps to curtail any on-going malicious activity or prevent repetition of past malicious activity.
  • Eradication: Provide full technical resolution of threat and related malicious activity. Address public relations, notification, and legal issues.
  • Recovery: Recover any business process disruptions and regain normal operations. Address longer term public relations or legal issues, if required, and apply any constituent remedies.
    • 21RISK has a backup and recovery strategy in place for all data.
    • In the event of a data recovery, 21 Risk can roll back/restore the data from the — managed backup service.
  • Post-incident: Formalize documentation of incidents and summarize learnings. Apply learnings to future preparedness.
  • Exception Handling In case of any exception to the above requirements, approval should be obtained from the Policy Owner based on a Risk Based approach.
previous Known attack vectors
next Acceptable Use Policy