Incident Response Plan

CompanyHub has developed this Information Security Incident Response Plan to implement its incident-response processes and procedures effectively, and to ensure that CompanyHub employees understand them. The intent of this document is to:

• Describe the process of responding to an incident,
• Educate employees, and
• Build awareness of security requirements.

An incident response plan brings together and organizes the resources for dealing with any event that harms or threatens the security of information assets. Such an event may be a malicious code attack, unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax. The goal is to facilitate quick and efficient response to incidents, and to limit their impact while protecting the state’s information assets. The plan defines roles and responsibilities, documents the steps necessary for effectively and efficiently managing an information security incident, and defines channels of communication. The plan also prescribes the education needed to achieve these objectives.

Terms and Definitions

Asset: Anything that has value to the CompanyHub

Control: Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature

Incident: A single or a series of unwanted or unexpected information security events (see definition of “information security event”) that result in harm, or pose a significant threat of harm to information assets and require non-routine preventive or corrective action.

Incident Response Plan: A written document that states the approach to addressing and managing incidents.

Incident Response Policy: A written document that defines organizational structure for incident response, defines roles and responsibilities, and lists the requirements for responding to and reporting incidents.

Incident Response Procedures: Written document(s) of the series of steps taken when responding to incidents.

Incident Response Program: Combination of incident response policy, plan, and procedures. Information: Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, including electronic, paper and verbal communication.

Information Security: Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Information Security Event: An observable, measurable occurrence in respect to an information asset that is a deviation from normal operations.

Threat: A potential cause of an unwanted incident, which may result in harm to a system or CompanyHub

Roles and Responsibilities

An incident response team analyzes information, discusses observations and activities, and shares important reports and communications across CompanyHub. The amount of time spent on any one of these activities depends on one key question: Is this a time of calm or crisis? When not actively investigating or responding to a security incident, the team should meet at least quarterly, to review current security trends and incident response procedures. The more information that an incident response team can provide to the executive staff, the better, in terms of retaining executive support and participation when it’s especially needed (during a crisis or immediately after). The roles of various team members are listed below:

• Chief Security Officer
  Manages the overall incident response process

• Team Leader
  Drives and coordinates all incident response team activity, and keeps the team focused on minimizing damage, and recovering quickly.

• Lead Investigator
  Collects and analyzes all evidence, determines root cause, directs the other security analysts, and implements rapid system and service recovery.

• Communications Lead
  Leads the effort on messaging and communications for all audiences, inside and outside of the company.

Incident Response Steps:

Information security incidents will be communicated in a manner allowing timely corrective action to be taken. This plan shows how CompanyHub will handle response to an incident, incident communication, incident response plan testing, training for response resources and awareness training. The Information Security Incident Response Policy, Plan, and procedures will be reviewed if significant changes occur to ensure their continuing adequacy and effectiveness. Each will have an owner who has approved management responsibility for its development, review, and evaluation. Reviews will include assessing opportunities for improvement and approach to managing information security incident response in regards to integrating lessons learned, to changes to CompanyHub’s environment, new threats and risks, business circumstances, legal and policy implications, and technical environment.

Identification

Identification of an incident is the process of analyzing an event and determining if that event is normal or if it is an incident. An incident is an adverse event and it usually implies either harm, or the attempt to harm CompanyHub. Events occur routinely and will be examined for impact. Those showing either harm or intent to harm may be escalated to an incident. Chief security officer is responsible for identifying the incident. He connects with the reporter through chat/call/email or personally if reporter is one of the employees of CompanyHub, understands what the reporter wants to say and determines whether we can take this report as an incident. Once the incident is identified, the users are notified on Chat and public status page at https://status.companyhub.com

The term “incident” refers to an adverse event impacting one or more CompanyHub’s information assets or to the threat of such an event Examples include but are not limited to the following:

• Unauthorized use
• Denial of Service
• Malicious code
• Network system failures (widespread)
• Application system failures (widespread)
• Unauthorized disclosure or loss of information
• Information Security Breach
• Other

Incidents can result from any of the following:

• Intentional and unintentional acts
• Actions of third parties
• External or internal acts
• Potential violations of CompanyHub’s Policies
• Natural disasters and power failures
• Acts related to violence, warfare or terrorism
• Other

Triage & Investigation

The objective of the triage process is to gather information, assess the nature of an incident and begin making decisions about how to respond to it. It is critical to ensure when an incident is discovered and assessed the situation does not become more severe. Lead investigator is responsible for triage step. The team lead needs answers to the following questions:

• What type of incident has occurred?
• Who is involved?
• What is the scope?
• What is the urgency?
• What is the impact thus far?
• What is the projected impact?
• What can be done to contain the incident?
• Are there other vulnerable or affected systems?
• What are the effects of the incident?
• What actions have been taken?
• Recommendations for proceeding
• May perform analysis to identify the root cause of the incident

Incident Classification & Escalation

Once an event is determined to be an incident, several methods exist for classifying incidents. The incident team lead is responsible for classification of the incident. Once classified, responsible developers/people are notified for escalation. The following factors are considered when evaluating and classifying incidents:

• Criticality of systems that are (or could be) made unavailable
• Value of the information compromised (if any)
• Number of people or functions impacted
• Business considerations
• Public relations
• Enterprise impact
• Multi-tenant scope

Based on the impact of the incident and the amount of work our teams think it will take to resolve, we assign issues with one of the following severity levels:

• Severity 1
  A critical incident with very high impact for example, a customer-facing service, like Email Scheduling Service, is down for all customers, confidentiality or privacy is breached, Customer data loss.

• Severity 2
  A major incident with significant impact for example, a customer-facing service is unavailable for a subset of customers. Core functionality (e.g. record create, edit, delete) is significantly impacted.

• Severity 3
  A minor incident with low impact, for example, a minor inconvenience to customers, workaround available.Usable performance degradation.

Threat/Vulnerability Eradication

After an incident, efforts will focus on identifying, removing and repairing the vulnerability that led to the incident and thoroughly clean the system. To do this, the vulnerability(s) needs to be clearly identified so the incident isn’t repeated. The goal is to prepare for the resumption of normal operations with confidence that the initial problem has been fixed.

Confirm that Threat/Vulnerability has been Eliminated

After the cause of an incident has been removed or eradicated and data or related information is restored, it is critical to confirm all threats and vulnerabilities have been successfully mitigated and that new threats or vulnerabilities have not been introduced.

Resumption of Operations (only in complete system failures)

Resuming operations is a business decision, but it is important to conduct the preceding steps to ensure it is safe to do so.

Communications

Through each step of the incident response, all the findings are made public on our status page at https://status.companyhub.com and the affected users are notified by email and chat. Communications lead is responsible for communicating openly with the affected users.

Lessons Learnt and Improvements

An after-action analysis will be performed for all incidents. The analysis may consist of one or more meetings and/or reports. The purpose of the analysis is to give participants an opportunity to share and document details about the incident and to facilitate lessons learned. The meetings should be held within one week of closing the incident to discuss what could be done to prevent this kind of incident in the future.