Incident Response Team Members

Each of the following members will have a primary role in incident response. 

•  Senior VP of Engineering/CISO

•  VP of Engineering

• Vice President Finance and Administration

•  Information Technology Service Request Desk

 

Each of the following members may provide supporting roles during incident response. 

•  Information Technology Systems Administrator / Security Analyst

•  Information Technology Windows Systems Administrator

•  Information Technology Senior Engineer

Incident Response Team Roles and Responsibilities

Information Technology Service Request Desk

•  Central point of contact for all computer incidents 

•  Notifies Chief Information Security Officer to activate computer incident response team 

 

Information Technology Director / Information Technology Assistant Director

•  Determines the nature and scope of the incident 

•  Contacts qualified information security specialists for advice as needed 

•  Contacts members of the Incident Response Team 

•  Determines which Incident Response Team members play an active role in the investigation 

•  Provides proper training on incident handling 

•  Escalates to executive management as appropriate 

•  Contacts auxiliary departments as appropriate 

•  Monitors progress of the investigation 

•  Ensures evidence gathering, chain of custody, and preservation is appropriate 

•  Prepares a written summary of the incident and corrective action taken 

 

Senior Engineer

•  Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks 

•  Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers 

•  Looks for signs of a firewall breach 

•  Contacts external Internet service provider for assistance in handling the incident 

•  Takes action necessary to block traffic from suspected intruder 

 

Security Analyst

•  Monitors business applications and services for signs of attack 

•  Reviews audit logs of mission-critical servers for signs of suspicious activity 

•  Collects pertinent information regarding the incident at the request of the Chief Information Security Officer 

 

Windows Operating Systems Administrators

•  Ensures all service packs and patches are current on mission-critical computers

•  Ensures backups are in place for all critical systems 

•  Examines system logs of critical systems for unusual activity 

Incident Response Team Notification

The Information Technology Service Request Desk will be the central point of contact for reporting computer incidents or intrusions.  The Service Request Desk will notify the Chief Information Security Officer (CISO). All computer security incidents must be reported to the CISO. A preliminary analysis of the incident will take place by the CISO and that will determine whether Incident Response Team activation is appropriate. 

Types of Incidents 

There are many types of computer incidents that may require Incident Response Team activation. Some  examples include: 

•       Breach of Personal Information 

•       Denial of Service / Distributed Denial of Service 

•       Excessive Port Scans 

•       Firewall Breach 

•       Virus Outbreak

Requirements

Data owners must identify and document all systems and processes that store or utilize personal information on individuals. Documentation must contain system name, device name, file name, location, database administrator and system administrator (primary and secondary contacts for each). The business area and the IT development group must maintain the contact list of database and system administrators. 

Likewise, all authorized users who access or utilize personal information on individuals should be identified and documented. Documentation must contain user name, department, device name (i.e., workstation or server), file name, location, and system administrator (primary and secondary contacts). 

Data Owner Responsibilities

Data owners responsible for personal information play an active role in the discovery and reporting of any breach or suspected breach of information on an individual. In addition, they will serve as a liaison between the company and any third party involved with a privacy breach affecting the organization’s data. 

All data owners must report any suspected or confirmed breach of personal information on individuals to the CISO immediately upon discovery. This includes notification received from any third party service providers or other business partners with whom the organization shares personal information on individuals. The CISO will notify the appropriate administrator and data owners whenever a breach or suspected breach of personal information on individuals affects their business area. 

Note: For ease of reporting, and to ensure a timely response 24 hours a day, seven days a week, the Service Request Desk will act as a central point of contact for reaching the CISO. 

The CISO will determine whether the breach or suspected breach is serious enough to warrant full incident response plan activation (See “Incident Response” section.) The data owner will assist in acquiring information, preserving evidence, and providing additional resources as deemed necessary by the CISO, Legal or other Incident Response Team members throughout the investigation.

Departmental Manager Responsibilities

Departmental managers are responsible for ensuring all employees in their unit are aware of policies and procedures for protecting personal information.

If a breach or suspected breach of personal information occurs in their department, the department manager must notify the Service Request Desk immediately and open an incident report. (See “Incident Response” Section, Information Technology Service Request Desk.) 

Note: Education and awareness communication will be directed to all employees informing them of the proper procedures for reporting a suspected breach of personal information on an individual. 

When Notification Is Required

The following incidents may require notification to individuals under contractual commitments or applicable laws and regulations: 

A user (employee, contractor, or third party provider) has obtained unauthorized access to personal information maintained in either paper or electronic form. 

An intruder has broken into database(s) that contain personal information on an individual. 

Computer equipment such as a workstation, laptop, CD-ROM, or other electronic media containing personal information on an individual has been lost or stolen. 

A department or unit has not properly disposed of records containing personal information on an individual. 

A third party service provider has experienced any of the incidents above, affecting the organization’s data containing personal information. 

The following incidents may not require individual notification under contractual commitments or applicable laws and regulations providing the organization can reasonably conclude after investigation that misuse of the information is unlikely to occur, and appropriate steps are taken to safeguard the interests of affected individuals: 

The organization is able to retrieve personal information on an individual that was stolen, and based on our investigation, reasonably concludes that retrieval took place before the information was copied, misused, or transferred to another person who could misuse it. 

The organization determines that personal information on an individual was improperly disposed of, but can establish that the information was not retrieved or used before it was properly destroyed. 

An intruder accessed files that contain only individuals’ names and addresses. 

A laptop computer is lost or stolen, but the data is encrypted and may only be accessed with a secure token or similar access device. 

Information Technology Service Request Desk

Contacts 

Office Phone: (844) 425-8209       

E-Mail: support@blub0x.com

Primary: Shaun Peterson

Alternate: Sean Dyer

1. The IT Service Request Desk will serve as a central point of contact for reporting any suspected or confirmed breach of personal information on an individual. 

2. After documenting the facts presented by the caller and verifying that a privacy breach or suspected privacy breach occurred, the IT Service Request Desk will open a Priority Incident Request. This will begin an automated notification process to immediately notify the Chief Information Security Officer. 

3. The IT Service Request Desk will contact the primary and secondary contacts in the Information Security Office. The IT Service Request Desk advises that a breach or suspected breach of personal information on an individual has occurred. After the Information Security Office analyzes the facts and confirms that the incident warrants incident response team activation, the Incident Request will be updated to indicate “Incident Response Team Activation – Critical Security Problem”. 

Chief Information Security Officer

Contacts       

Office Phone: 603-508-0447          

E-Mail: sdyer@blub0x.com

Primary: Chief Security Officer 

Alternate: VP of Engineering

1.  When notified by the Service Request Desk, the CISO performs a preliminary analysis of the facts and assess the situation to determine the nature and scope of the incident. 

2.  Informs the Vice President of Finance and the Security Manager that a possible privacy breach has been reported and provides them an overview of the situation. 

3. Contacts the individual who reported the problem. 

4. Identifies the systems and type(s) of information affected and determines whether the incident could be a breach, or suspected breach of personal information about an individual. Every breach may not require participation of all Incident Response Team members (e.g., if the breach was a result of hard copy disposal or theft, the investigation may not require the involvement of system administrators, the firewall administrator, and other technical support staff). 

5. Reviews the preliminary details with the VP of Engineering. 

6.  If a privacy breach affecting personal information is confirmed, Incident Response Team activation is warranted. Contact the Service Request Desk and advise them to update the Incident Request with “Incident ResponseTeam Activation – Critical Security Problem”.

7.  Notify the Public Relations Department of the details of the investigation and breach. Keep them updated on key findings as the investigation proceeds. 

8.  The Information Security Team is responsible for documenting all details of an incident and facilitating communication to executive management and other auxiliary members as needed. 

9. Contact all appropriate database and system administrators to assist in the investigation effort. Direct and coordinate all activities involved with Incident Response Team members in determining the details of the breach. 

10. Contact appropriate Incident Response Team members and First-Level Escalation members.

11. Identify and contact the appropriate Data Owner affected by the breach. In coordination with the Vice President of Finance and Administration, the Security Manager and Data Owner, determine additional notification requirements (e.g., Human Resources, external parties). 

12. If the breach occurred at a third party location, determine if a legal contract exists. Work with the Business Office, the Security Manager and Data Owner to review contract terms and determine next course of action. 

13. Work with the appropriate parties to determine the extent of the potential breach. Identify data stored and compromised on all test, development and production systems and the number of individuals at risk. 

14. Determine the type of personal information that is at risk, including but not limited to: Name, Address, Social Security Number/Social Insurance Number, Account number, Cardholder name, Cardholder address, Medical and Health Information 

15. If personal information is involved, have the Data Owner determine who might be affected. Coordinate next steps with the Vice President of Finance and Administration, Security Officer and Public Relations (e.g., individual notification procedures). 

16. Determine if an intruder has exported, or deleted any personal information data. 

17. Determine where and how the breach occurred.  Identify the source of compromise, and the timeframe involved. Review the network to identify all compromised or affected systems. Consider e-commerce third party connections, the internal corporate network, test and production environments, virtual private networks, and modem connections. Look at appropriate system and audit logs for each type of system affected.  Look at directory and file permissions.  Document all internet protocol (IP) addresses, operating systems, domain name system names and other pertinent system information. 

18. Take measures to contain and control the incident to prevent further unauthorized access to or use of personal information on individuals, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls.  Change all applicable passwords for IDs that have access to personal information, including system processes and authorized users. If it is determined that an authorized user’s account was compromised and used by the intruder, disable the account. Do not access or alter the compromised system. Do not turn off the compromised machine. Isolate the system from the network (i.e., unplug cable).  Change the wireless network Service Set Identifier (SSID) on the access point (AP) and other authorized devices that may be using the corporate wireless network. 

19. Monitor systems and the network for signs of continued intruder access. 

20. Preserve all system and audit logs and evidence for law enforcement and potential criminal investigations.  Ensure that the format and platform used is suitable for review and analysis by a court of law if needed.  Document all actions taken, by whom, and the exact time and date. Each employee involved in the investigation must record his or her own actions. Record all forensic tools used in the investigation.  Note: Visa has specific procedures that must be followed for evidence preservation. 

21. Notify the Vice President of Finance and Administration as appropriate. Provide a summary of confirmed findings, and of the steps taken to mitigate the situation. 

22. If an internal user (authorized or unauthorized employee, contractor, consultant, etc.) was responsible for the breach, contact the appropriate Human Resource Manager for disciplinary action and possible termination. In the case of contractors, temporaries, or other third-party personnel, ensure discontinuance of the user's service agreement with the company.

Customer Database Owners

Contacts

Office Phone: (844) 425-8209         

E-Mail: sgoldshmid@blub0x.com

Primary:  Simon Goldshmid

Alternate:  Robert Domings

1. If the Data Owners hear of or identifies a privacy breach, contact the Service Request Desk to ensure that the CISO and other primary contacts are notified. 

2. The Data Owner will assist the CISO as needed in the investigation.

Process Steps

1. Monitor access to customer database files to identify and alert any attempts to gain unauthorized access.  Review appropriate system and audit logs to see if there were access failures prior to or just following the suspected breach. Other log data should provide information on who touched what file and when. If applicable, review security logs on any non-host device involved (e.g., user workstation). 

2. Identify individuals whose information may have been compromised. An assumption could be “all” if an entire table or file was compromised.

3. Secure all files and/or tables that have been the subject of unauthorized access or use to prevent further access. 

4. Upon request from the CISO, provide a list of affected individuals, including all available contact information (i.e., address, telephone number, email address, etc.)

Human Resources

Contacts                   

Office Phone:  (844) 425-8209 ext.703   

E-Mail: patdecav@blub0x.com

Primary: Patrick de Cavaignac

Alternate:  Michael Araujo

1.  If notified of a privacy breach affecting employee personal information, open an incident request with the IT Service Request Desk to activate the Incident Response Plan for suspected privacy breach. 

2.  When notified by the Information Security Office that the privacy breach incident response plan has been activated for a breach of information on an individual, perform a preliminary analysis of the facts and assess the situation to determine the nature of the incident. 

3.  Work with the IT Service Request Desk, CISO and business area to identify the extent of the breach. 

4.  If appropriate, notify the business area that a breach has been reported and is under investigation.

5.  Work with the business area to ensure there is no further exposure to privacy breaches. 

6.  Work with the CISO and Legal Department to determine if the incident warrants further action. 

Public Relations

Contacts       

Office Phone (844) 425-8209       

E-Mail Jtrejo@blub0x.com

Primary:  Jesica Trejo

Alternate:  Ed O’Callaghan

Ongoing:

1.  Monitor consumer privacy issues and practices of other companies.

2.  Monitor consumer privacy breaches of other companies and how they respond. 

3.  Keep generic/situational talking points current. 

 

When Privacy Breach Occurs: 

1.  After confirmation that a breach of personal information about individuals has occurred, notify the Public Relations Director. 

2.  Coordinate with the Vice President of Finance and Administration and Legal on the timing, content and method of notification. Prepare and issue press release or statement, if needed. 

 

Vehicles for communicating include:

a.  News wire services 

b.  Online Sales web site – Post statement on home page or conspicuous location of website. 

c.  Internal Website – If appropriate for breach of employee information 

d. E-mail 

e. News conference – If privacy breach should reach a national and/or crisis level, coordinate brief news conference at headquarters or appropriate location. 

i. Appoint appropriate spokesperson 

ii. Prepare statement and, if necessary, potential Q & A. 

iii. Coach spokesperson on statement and potential Q & A. 

iv. Invite select media to attend and cover organization’s proactive message. 

v.  Use conference as a platform for communicating who the breach involves, what the organization is doing to correct breach, how it happened and the organization’s apology but reassurance of its privacy policies 

3.  Prepare appropriate response to media, customer, and/or employee; and have the CPO and Legal Department approval prior to distribution. 

4.  Proactively respond to media inquiries, if necessary.

5.  Monitor media coverage and circulate accordingly.