Incident Response & Breach Notification Policy

Document Version & Control

  • Version: 1.0
  • Last Review Date: 6 Jan 2025
  • Next Review Date: [12 months from last review or upon significant changes]
  • Approver: DPO, CTO

Purpose & Scope
This policy establishes the process for identifying, responding to, and notifying stakeholders of security incidents and data breaches. It applies to all personnel, including employees, contractors, and third-party service providers who support or maintain our systems and data. The scope includes all systems hosted on AWS, Digital Ocean, and any integrated third-party services. It covers both potential and confirmed incidents that may affect the confidentiality, integrity, or availability of systems and data, as well as any event where regulated personal data may have been accessed or compromised.

Compliance & References

  • Standards & Frameworks:
    • ISO 27001: A.16 (Information Security Incident Management)
    • NIST SP 800-61 (Computer Security Incident Handling Guide)
    • SOC 2 Trust Services Criteria (Security, Availability)
  • Regulations:
    • PDPA (Singapore)
    • GDPR (if applicable)
  • Related Internal Policies:
    • Information Security Policy
    • Data Management & Database Policies
    • Encryption & Key Management Policy
    • Authentication & Access Control Policy
    • Logging & Audit Trail Policy (to be drafted)
    • Business Continuity & Disaster Recovery Policies (to be drafted)

Roles & Responsibilities

  • DPO: Oversees the incident response process, authorizes breach notifications, ensures regulatory compliance, and leads communication with authorities.
  • CTO: Provides technical oversight, coordinates resources for containment and recovery, and supports investigation efforts.
  • Incident Response (IR) Team: Comprised of the DPO, CTO, and Lead Engineer. Responsible for detecting, analyzing, containing, eradicating, and recovering from incidents.
  • Legal & Compliance Officer: Advises on regulatory notification requirements and assists with breach reporting to authorities and clients.
  • Employees & Contractors: Must report suspected or confirmed incidents immediately to the IR Team via designated communication channels.

Incident Definitions & Classification

  1. Security Incident:
    An event or suspected event that could compromise the confidentiality, integrity, or availability of our systems or data. Examples include unauthorized access, malware infections, insider threats, or anomalies detected by security tools.

  2. Data Breach:
    A confirmed security incident where sensitive or regulated data (e.g., applicant CVs, PII) has been accessed, disclosed, altered, or destroyed without authorization.

  3. Severity Levels:

    • Low: Minor issues with limited or no impact on sensitive data or system availability.
    • Medium: Potential compromise of internal systems or limited sensitive data exposure.
    • High: Confirmed compromise of sensitive data, widespread system outages, or regulatory notification required.

Incident Response Phases

  1. Preparation:
    • Maintain an up-to-date incident response plan, tools, and contact lists.
    • Conduct periodic training, tabletop exercises, and simulations.
    • Ensure logging, monitoring, and security controls are active and effective.
  2. Detection & Reporting:
    • Detect incidents through logs, alerts, vulnerability scans, user reports, or third-party notifications.
    • Immediately report suspected incidents to the IR Team (DPO, CTO, Lead Engineer) via designated communication channels (e.g., email alias, internal ticketing system).
  3. Analysis & Triage:
    • The IR Team analyzes the incident report, determines severity, and prioritizes response.
    • Contain the incident to prevent further damage (e.g., isolate affected hosts, block malicious IPs, revoke compromised credentials).
  4. Containment, Eradication & Recovery:
    • Implement short-term containment measures to stop ongoing attacks.
    • Identify root causes and eradicate malicious code or unauthorized access.
    • Restore systems from clean backups, verify data integrity, and apply necessary patches or configuration changes.
  5. Notification & Communication:
    • Once a data breach is confirmed, the IR Team informs the DPO and CTO. The Legal & Compliance Officer advises on notification requirements.
    • Notify affected clients within 7 days, as previously established in related policies.
    • Notify regulatory authorities (e.g., PDPC) as soon as practicable. If no specific timeframe is mandated, aim to notify within 72 hours of confirming a breach involving personal data.
  6. Post-Incident Review & Lessons Learned:
    • Conduct a post-incident review within 2 weeks of incident resolution.
    • Identify root causes, assess the effectiveness of the response, and recommend improvements.
    • Update policies, controls, and training based on lessons learned.

Breach Notification Requirements

  1. Regulatory Notifications:
    • PDPA and other applicable regulations may require prompt notification to authorities. In the absence of a legally mandated timeframe, strive to notify relevant authorities (e.g., PDPC) within 72 hours of confirming a personal data breach.
    • If GDPR applies, notify the relevant Data Protection Authority within their mandated timeframe (typically 72 hours) of identifying a breach involving EU data subjects.
  2. Client & Stakeholder Notifications:
    • Notify affected clients within 7 days of confirming a data breach.
    • Provide clear, concise information on the nature of the breach, affected data, mitigation steps taken, and any recommended actions.
  3. Public Communication:
    • If deemed necessary by the DPO and CTO, and with guidance from Legal & Compliance, prepare a public statement.
    • Maintain transparency while adhering to legal advice and ensuring no sensitive details that could further compromise security are disclosed.

Documentation & Evidence Preservation

  • Record-Keeping:
    • Document all steps taken during incident detection, containment, eradication, and recovery.
    • Maintain incident logs, chain-of-custody records, and communication records for audit and legal review.
  • Forensic Analysis:
    • While we do not engage external forensic experts or law enforcement by default, preserve relevant logs, system images, and artifacts.
    • Follow chain-of-custody procedures for potential future legal proceedings.

Compliance & Audit

  • Internal & External Audits:
    • Support audits that evaluate the effectiveness of incident response and breach notification processes.
    • Address any audit findings promptly.
  • Policy Exceptions:
    • Document and approve any exceptions to this policy through a formal risk acceptance process overseen by the DPO and CTO.

Training & Awareness

  • Regular Training:
    • Conduct annual incident response training for the IR Team and relevant technical staff.
    • Include incident reporting procedures in general security awareness training for all employees.

Policy Review & Maintenance

  • Review Cycle:
    • Review this policy at least annually or after any major incident that tests its effectiveness.
    • Update the policy, procedures, and controls based on evolving threats, regulatory changes, or lessons learned from incidents and exercises.

Copyright © 2024. All Rights Reserved by TechKnowledgey Pte Ltd. Scout is an AI-powered, all-in-one talent sourcing tool built for recruiters, by recruiters.