Cybersecurity Incident Management Policy and Protocol
April 15, 2021: version 0.1
KI Design is committed to react immediately to any actual or suspected incidents relating to the privacy and security of personal information and personal health information (hereinafter referred to as “protected data”) in its custody.
The Incident and Breach Management Policy allows KI Design to identify, manage, and resolve privacy and information security incidents and breaches. The objective is to maintain the integrity, confidentiality, and availability of KI Design clients’ protected data.
This policy applies to all KI Design information assets – as defined in the Data and Information Management Policy.
The policy applies to all KI Design workers (including full/part time permanent or contracted employees). Workers must understand and apply this policy, and are responsible for ensuring the privacy and security of the data they use.
Failure to comply with the Incident and Breach Management Policy may result in disciplinary action up to and including termination of employment or affiliation with KI Design.
KI Design is committed to:
- Identifying, analyzing, resolving, and reporting security and privacy incidents and breaches to minimize risk to clients and to KI Design;
- Providing guidance regarding communication about security and privacy incidents during the process of incident management to ensure that the rights of individuals and KI Design are protected;
- Minimizing any adverse impact on KI Design operations;
- Timely escalation to ensure the proper resources are engaged to manage the situation.
The Privacy, Security, and Risk team (PSR) will form an Incident Response Team to manage the incident response. The team will always include the Privacy Officer or delegate; other team members will be determined by invitation from the PSR.
Workers cannot disclose the incident to the public, or on any social media or media outlet. Workers must only communicate regarding the incident with the Incident Response Team. Should workers be contacted by an outside party (for example: police, media, vendors, or donors), they must direct the call/message to the Privacy Officer.
BREACH MANAGEMENT APPROACH
KI Design takes the privacy and security of protected data in its custody extremely seriously. In the event of a privacy breach, an internal investigation into the matter will be conducted. The objectives of this investigation are:
- Identification: Once an incident is identified, the worker shall notify the Privacy Officer at email@example.com.
- Containment: Ensure that the immediate requirements of containment are met, and review the circumstances surrounding the breach.
- Remediation: The Incident Response Team, possibly assisted by outside third party/ies, will remediate and close any security or privacy gaps.
- Notification and Reporting: The Incident Response Team delegate, possibly assisted by an outside third party, is responsible for communications with workers, notification of affected individuals, and fulfilling any breach reporting obligations.
- Review and Prevention of Future Breaches: Existing policies and procedures will be assessed to ensure that they fully safeguard protected data, to avoid further incidents in the future. KI Design’s privacy and security posture can be improved by learning from incidents.
As early as possible after an incident has occurred, workers must notify the Privacy Officer (at the email address given above) that an incident has occurred as early as possible. Failure to notify will be considered a policy violation. Workers must provide factual information, rather than attempting to interpret or provide an opinion regarding the incident.
Only the Privacy Officer has the ability to declare whether the incident is in fact a breach.
The containment phase of the privacy incident and breach management process focuses on:
- confirming that a privacy incident or breach has transpired,
- preventing additional information assets from being affected,
- ensuring affected information assets are not further compromised,
- minimizing adverse impact to KI Design and the further disclosure of protected data, and
- restoring normal operation.
Workers must co-operate with the Privacy Officer or Incident Response Team to contain the breach.
Workers must ensure that the situation is not exacerbated by the containment actions taken. If the incident happened at home, workers must ensure that co-residents provide needed support: (for example, if paperwork is lost at home). All reported privacy incidents and breaches will be contained immediately to prevent further unauthorized collection, use, and/or disclosure of protected data.
The Incident Response Team must attempt to ascertain whether or not the breach was intentional. This must be documented in the Incident Report.
Once a privacy incident or breach has been appropriately contained, it is investigated by the Incident Response Team. The investigation will identify the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach, as well as its root cause. The Incident Response Team will classify the incident or breach according to the classification system outlined in the KI Design Cybersecurity Incident Management Protocol. The classification will be noted in the Incident Report Log.
After classifying the incident or breach, the team will determine what immediate remediation activities need to occur, including additional containment activities and any internal or external communication.
Remediation activities, based on the results of the investigation, can include:
- Addressing the situation on a systemic basis (e.g., reviewing program procedures); and
If the investigation reveals that the incident or breach was intentional or caused by negligence, Human Resources policies will be applied.
4) Notification and Reporting
The Incident Response Team, in consultation with the Privacy Officer and CEO, will determine the best method for notifying the individual(s) whose privacy has been breached.
Breach notifications to affected individuals, for which the Incident Response Team is responsible, will provide details of the extent of the breach and the specifics of the issue, and advise affected individuals of the steps that have been or will be taken to address the breach, both immediate and long-term.
The KI Design Cybersecurity Incident Management Protocol offers more detailed guidance to senior management, in particular the members of the Incident Response Team.
5) Review and Prevention of Future Breaches
KI Design maintains a log of privacy incidents and breaches, and the recommendations emanating from investigations of these incidents and breaches. The log is used to provide regular reports to senior management on the number and nature of privacy incidents or breaches. A list of the data to be recorded in the log can be found in the KI Design Cybersecurity Incident Management Protocol.
All documentation related to identification, containment, investigation and remediation, communication, and notification of privacy incidents or breaches is securely retained by the Privacy Office. Incident and incident management must be recorded in the Incident Report Log.
CYBERSECURITY INCIDENT MANAGEMENT PROTOCOL
This Protocol contains the following:
- Incident Management
- Breach Management Procedure
- Incident Management Checklist
- Breach Classification (major, moderate, or minor)
- Breach Risk Assessment
- Incident Report Log
Incident and Breach Management – All activities related to managing risk (a privacy, security, or media incident). Any suspicious event is an incident. If the Privacy Officer deems the incident to be in breach of any of KI Design’s privacy or security policies, or any applicable laws, then it is considered a breach.
Information Security – The preservation of the confidentiality, integrity, and availability of sensitive information.
Notify – KI Design’s legal obligation to notify a personal information or personal health information owner or custodian and other third parties regarding a privacy or security incident.
Incident – An event that involves or potentially involves the unauthorized access, use, or disclosure of individual personal health information or individual and employee personal information within KI Design or a third party; e.g., personal information is stolen, lost, or mistakenly disclosed.
Breach – A breach is a contravention of KI Design privacy and security policies; including, but not limited to, unauthorized access and use of information without consent.
Reporting – Mandatory communication to agencies regarding KI Design incident occurrence, status, and remedial actions.
The Incident Response Team, which includes but is not limited to the Privacy Officer, will be assembled and will start managing the incident or breach. This involves classification and evaluation of the incident or breach (see Section 2 and 3). The severity and location of the incident will determine the roles, responsibilities, and participants of the response team.
Based on these discussions, the team will determine what immediate activities need to occur, including any internal or external communication. Management directives, notification activities, and other communications will be handled by the Incident Response Team.
Workers are expected to co-operate immediately and fully with the Incident Response Team and to make incident management activities an urgent priority. Workers must not share details of an incident externally, as this type of information could potentially pose a security risk to KI Design.
BREACH MANAGEMENT PROCEDURE
KI Design takes the privacy and security of protected data in its custody extremely seriously. In the event of a privacy breach, an internal investigation into the matter will be conducted. The objectives of the investigation are:
- Identification: Once an incident is identified, workers shall notify the Privacy Officer at firstname.lastname@example.org. The PSR will form the Incident Response Team based on the nature and type of the incident being reported. Upon notification of a privacy or security incident, the Privacy Officer will convene the Incident Response Team, which will investigate and respond following the Incident and Breach Management Procedure outlined in this section.
The Incident Response Team should use the Incident Management Checklist (below) to ensure that nothing is missed. If the incident is not a breach, the Incident Response Team should document the incident, and notify the lead/manager of the program area and the reporting person that the incident is closed.
- Containment: Ensure the immediate requirements of containment, and review the circumstances surrounding the breach. The Incident Response Team, led by the Privacy Officer or designate, will carry out containment activities, which may include:
- Suspending the unauthorized practice that resulted in the incident or breach;
- Recovering affected records;
- Shutting down the system that was breached, and taking any affected machines offline;
- Changing access codes;
- Update the credentials and passwords of authorized users (in case these were compromised by the breach);
- If third-party vendors were involved, changing their access privileges as required;
- Revoking access permanently or temporarily to a system; and,
- Contacting the police (if the breach involves theft or other criminal activity).
The breach must also be classified (see Breach Classification, below).
- Remediation: The Incident Response Team, possibly assisted by outside third party/ies will remediate and close any security or privacy gaps. Breach remediation procedures are as follows:
- Retrieve the hard copies of any protected data that has been disclosed;
- Ensure that no unauthorized copies of the protected data have been made or retained by the individual implicated in the incident, and obtain the person’s contact information in the event that follow-up is required; and,
- Determine whether the privacy breach would allow unauthorized access to any other protected data (e.g., the electronic information system) and take whatever necessary steps are appropriate (e.g., change passwords and identification numbers, and/or temporarily shut down a system).
While remediation activities are ongoing, the Incident Response Team must evaluate the risk impact of the breach based on the Breach Risk Assessment Tool (below).
- Notification and Reporting: The Incident Response Team will co-ordinate all notification and reporting actions. Management directives, notification activities, and other communications will be handled by the Incident Response Team.
Communications to workers: The Incident Response Team will notify workers based on the agreed-upon notification and reporting actions.
Notifying Individuals: Breach notifications to affected individuals, for which the Incident Response Team is responsible, will provide details of the extent of the breach and the specifics of the issue, and advise affected individuals of the steps that have been or will be taken to address the breach, both immediate and long-term. The Incident Response Team will decide the method of communication (phone, email, or website communication) and the contents of the message.
Breach Reporting: The Privacy Officer will report the breach to the KI Design CEO.
- Review and Prevention of Future Breaches: Assess the adequacy of existing policies and procedures in safeguarding protected data to avoid further incidents in the future. Improve KI Design’s privacy and security posture by learning from incidents.
INCIDENT MANAGEMENT CHECKLIST
The Incident Response Team is responsible for completing the following privacy incident or breach activities, where applicable:
|Send initial email containing: Schedule for initial conference call Details of incident Composition of the Incident Response Team|
|Identify and assemble the Incident Response Team|
|Categorize incident (major, moderate, or minor)|
|Identify containment measures|
|Identify internal communication requirements|
|Identify external communication requirements|
|Schedule follow-up calls as needed|
|Contact authorities regarding illegal, criminal, or other unlawful activity (if applicable)|
|Complete incident/breach report|
BREACH CLASSIFICATION (MAJOR, MODERATE, OR MINOR)
Classifying a breach is a subjective activity. The Privacy Officer will consider factors such as:
- Actual or potential harm;
- Incident scope and duration;
- Nature of required containment measures, if any;
- Root cause; and
- Sensitivity of information involved.
Examples of incident classification:
|Single instance of disclosing de-identified information inappropriately due to human error||Minor||• Not personal information |
• No harm to individuals or KI Design clients
• Not recurring
• Not an application error
|Malware infection on a single computer that was successfully contained||Minor||• Not widespread |
• No harm to KI Design’s systems or information
|Disseminating information by other than approved methods||Minor||• Information was successfully disseminated to the correct individual |
• No harm to individuals or KI Design clients
• Not recurring
• Not an application error
|Folder containing personal information or personal health information is mislaid; no highly sensitive data involved||Moderate||• Breach was not intentional (or was intentional, but only a few records were affected) |
• No foreseeable harm
• Limited number of individuals affected
• Rules of immediate reporting do not apply
|Any privacy breach or security breach||Major||• By definition, all privacy and security breaches are considered major incidents|
|An application error resulting in disclosure of electronic reports to the wrong facility||Major||• Potential harm to individuals or KI Design clients |
• Potentially widespread
• Containment generally requires shutting down systems
BREACH RISK ASSESSMENT
The purpose of the following Privacy Breach Risk Assessment Tool is to enable KI Design to assess the impact of a privacy breach and the likelihood that harm will stem from it. This assessment consists of two steps.
INCIDENT REPORT LOG
The KI Design Privacy Office will record and log each incident or breach report, investigation, and subsequent action. The log will include:
- Category/Classification (e.g., personal health information breach, security incident)
- Notification Date
- Extent of the incident (what happened)
- Nature of data involved (what information was involved or compromised)
- Management notice date
- Containment measures
- Containment date
Include if applicable:
- Third party notice date
- Investigation start date (for privacy breaches)
- Investigation complete date
- Investigation recommendation(s)
- Manner investigation recommendation(s) addressed
- Date recommendation(s) addressed
Depending on the findings from the investigation and at its discretion, the Privacy Officer will notify the CEO and potentially the executive team.