Security Incident Response Policy

1. Introduction

Cyber security incidents are a significant risk to Technical Director Ltd (the "company"). This policy describes how to recognise a breach, who to report it to and what happens next. Cyber breaches are becoming more common and more expensive to fix. Responding as fast as possible is key, so please read this document and keep it to hand for when it is needed.

2. Who you should contact if you think there's been cyber security incident?

The person primarily responsible for coordinating the company's response to a cyber security incident is the Technical Director (the "incident coordinator").

3. What might indicate that there has been a breach?

The following may indicate that a cyber security breach has occurred:
  • you have made a mistake, clicked on a link you shouldn’t have, or your device anti-virus software or browser is reporting that malware has been detected;
  • an inability to access data or devices, or unusual behaviour, possibly accompanied by a ransom message;
  • spikes in network traffic, database requests, or the size of HTML responses (which may be observed by the IT team); and
  • employees that you know are not present have accessed or edited files.

4. What do I do if I make a mistake?

If you have made a mistake that may have caused a cyber security breach then the most important thing is time:
  • do not attempt to solve the problem by yourself;
  • you must report the problem to the incident coordinator immediately;
  • you will need to be able to tell them what device, how it is connected to the company's IT systems, and what company data it contains;
  • if you made a mistake using your own computer or phone, while it is connected to the company's systems, or contains the company's data, you must still contact the incident coordinator for support; and
  • making a mistake is not system misuse, but failing to report one is.

  • 5. I'm the incident coordinator, who do I notify, what are their roles?

    If you notice a cyber security breach indicator, or have made a mistake, contact the incident coordinator. The following people should be notified by the incident coordinator if the breach is confirmed:
    (a) the data protection officer: the Technical Director;
    If the cyber security breach includes personal data then the Information Commissioner's Office may need to be informed, typically within 72 hours. Data subjects may also need to be informed.

    6. What are the responsibilities of the members of the incident response team?

    Technical incident response personnel should establish:
    • what has happened;
    • which parts of which systems are affected;
    • which machines should be disconnected;
    • what needs to be done to remove any malware; and
    • what feedback the company need to improve their security in future.

    The data protection officer should first establish whether personal data has been compromised, and if so, how much.

    The technical director should communicate with technical teams to obtain support and ensure that these teams know what evidence they must collect to document the incident.

    Communications should begin preparing communications to employees, customers and the ICO about the ongoing incident – a "well handled" breach, in the eyes of customers, will be a well-communicated breach.

    Communications have to be available as soon as senior management require them and employees need to know not to otherwise disclose.

    Senior management should collect enough information to make strategic decisions during the incident.

    Operations managers for processes impacted by the loss of IT systems should:
    • provide information to the technical team about critical systems, so that choices can be made to reduce risk based on the need for availability; and
    • provide information to senior management to allow them to make strategic decisions.