Contents
- Definitions
- 1. Policy Statement
- 2. Roles and Responsibilities
- 3. Incident Reporting
- 4. Incident Response
- 5. Incident Investigation and Analysis
- 6. Communication and Reporting
- 7. Remediation and Recovery
- 8. Continuous Improvement
- 9. Employee Awareness and Training
- 10. Compliance
- 11. Policy Review
Definition:
Cyber Security Event: Any incident or activity that potentially compromises the security of our information systems, networks, or data, including but not limited to unauthorized access attempts, malware infections, data breaches, phishing attacks, and system disruptions.
Relevant documents
1) Senior Executive Cybersecurity Roles and Responsibilities Policy
2) Data Breach Response and Notification Procedure
4) Disaster Recovery and Business Continuity Plan
1. Policy Statement
The purpose of this policy is to establish guidelines and procedures for the identification, reporting, handling, and resolution of cyber security events within IRIS Connect. This policy aims to minimize the impact of cyber security incidents, protect sensitive information and assets, and maintain the confidentiality, integrity, and availability of our systems and data.
2. Roles and Responsibilities
The effective detection of cybersecurity events requires clear definition of roles and responsibilities. Below are roles with respective responsibilities that should be well defined within the Cyber Security Event Policy.
-
Executive Management
- Ensure that the organization's strategic direction aligns with the requirements for detecting cybersecurity events.
- Support and allocate resources for the necessary cybersecurity tools and staff training.
-
Technology Director (TD)
- Responsible for overall cybersecurity of the organization, including the establishment and implementation of the Cyber Security Event Policy.
- Ensure all cybersecurity detection roles are clearly defined and effectively implemented.
- Regularly report to executive management on the organization’s cybersecurity status.
-
Incident Response Team (IRT)
- Accountable for the day-to-day detection of cybersecurity events.
- Continuously monitor systems and networks for signs of incidents or breaches.
- Follow the established process for escalating and reporting detected cybersecurity events.
-
IT Department
- Implement and manage the technical controls and systems used to detect cybersecurity events.
- Collaborate with the IRT to respond to detected cybersecurity events.
- Regularly update and patch systems to minimize vulnerabilities.
-
Human Resources (HR)
- Ensure staff are aware of their roles in detecting cybersecurity events.
- Collaborate with the CISO to develop training and awareness programs related to cybersecurity detection.
-
All Employees
- Remain vigilant and report any unusual activities or system behavior to the IRT.
- Complete all required cybersecurity awareness and training programs.
- Comply with all organization policies related to cybersecurity.
-
Audit and Compliance Team
- Ensure all activities related to the detection of cybersecurity events are compliant with regulatory requirements.
- Perform regular audits to verify the effectiveness of cybersecurity detection controls and processes.
3. Incident Reporting
3.1. All employees and contractors must promptly report any suspected or confirmed cyber security events to the designated incident response team or IT department.
3.2. Reports should include relevant details such as date, time, description of the event, affected systems or data, and any supporting evidence or information.
3.3 Incidents are recorded in Podio
4. Incident Response
4.1. The incident response team or IT department will promptly assess and classify reported cyber security events based on their severity and potential impact.
4.2. Appropriate response actions will be taken, including containment, eradication, recovery, and communication, in accordance with established incident response procedures.
5. Incident Investigation and Analysis
5.1. The incident response team or IT department will conduct thorough investigations to determine the root cause and extent of cyber security events.
5.2. Technical analysis, forensics, and log reviews may be performed to gather evidence and identify vulnerabilities or weaknesses to prevent future incidents.
6. Communication and Reporting
6.1. Regular communication and updates will be provided to relevant stakeholders, including management, affected parties, legal, regulatory authorities, and law enforcement agencies as required by applicable laws and regulations.
6.2 Incident reports and post-incident reviews will be documented to capture lessons learned, remediation measures, and recommendations for improving cyber security practices.
7. Remediation and Recovery
7.1. The incident response team or IT department will coordinate with relevant teams to implement necessary remediation measures and restore affected systems and data to their normal operational state.
7.2. Patching, system updates, password resets, network reconfigurations, and other appropriate measures will be implemented to prevent similar incidents.
8. Continuous Improvement
8.1 Detection Processes
8.1.1 Vulnerability Scanning will be performed at least annually
8.1.2 Firewall and Antivirus endpoint protection systems must be used to monitor the network for unauthorised activity
8.1.3 Personnel Monitoring
User activity monitoring tools and technologies to track the actions of personnel across our systems, networks, and applications. These tools capture user activities such as login/logout events, providing detailed visibility into user actions.
Endpoint monitoring is performed using ESET which is installed on all employee workstations
8.1.4 Baseline Setting
An array of tools are used to monitor and either alert the Cloud Services team or make automated actions as necessary when deviations from the baselines occur
8.1.5 Network Monitoring
We make use of systems to monitor all inbound requests to the application and throttle or block requests based on when certain criteria are met
8.1.6 Unauthorised Activity Monitoring
Firewall and Antivirus endpoint protection systems monitor the network for unathorised activity such as personnel, connections, devices, and software
8.1.7 Malicious Code
Company Network: ESET prevents any external media from being run automatically and any known dangerous executables or black listed websites are blocked
Product: Within the platform users are restricted from uploading certain file types and dangerous code is sanitzed and not actioned.
8.2 Testing of Detection Processes
8.2.1 Conducting Regular Testing
Our detection processes are tested regularly to ensure their effectiveness.
8.2.2 Test Review and Analysis
Following each test, the IRT conducts a thorough review and analysis of the test results. This includes identifying any failures or weaknesses in the detection processes, and formulating plans to address these.
8.2.3 System Updates and Adjustments
Based on the findings from the test review and analysis, the IRT and IT Department will make necessary updates and adjustments to the detection processes. This could involve updating system configurations, fine-tuning detection algorithms, or enhancing user access controls.
8.2.4 Reporting and Documentation
All testing activities, findings, and actions taken are fully documented and reported to the CISO and executive management. This documentation helps to track progress over time, supports ongoing improvements to our detection capabilities, and demonstrates compliance with regulatory requirements.
This robust and systematic approach to testing our detection processes helps to ensure the timely and effective detection of cybersecurity events, enhancing the security of our information systems and data.
8.3 Lessons learned
Lessons learned from cyber security events will be used to enhance security controls, policies, and procedures.
8.4. Regular reviews
Reviews and updates of this policy and associated incident response plans will be conducted to align with evolving threats and industry best practices.
9. Employee Awareness and Training
9.1. All employees and contractors will receive ongoing awareness and training programs to educate them about cyber security risks, best practices, and their responsibilities in reporting and responding to cyber security events.
9.2 Training will cover topics such as identifying phishing emails, safe browsing practices, password hygiene, and reporting suspicious activities.
10. Compliance
10.1 All employees and contractors are required to comply with this policy and associated procedures.
10.2 Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract.
11. Policy Review
11.1 This policy will be reviewed and updated periodically to ensure its effectiveness and alignment with changing business needs, technology, and regulatory requirements.
11.2 Any updates or revisions to this policy will be communicated to all employees and contractors.
By adhering to this Cyber Security Events Policy, we demonstrate our commitment to proactively managing and responding to cyber security events. This policy provides a framework for prompt detection, reporting, and appropriate actions to protect our organization's information assets and maintain a secure computing environment.
IRIS Connect acknowledges that cyber security events can occur despite our best efforts, and we are committed to continuous improvement and resilience in the face of evolving threats.