Articles in this section

Incident response plan.

Avatar
Alan Clayton
  • Updated
Follow

This Incident Response Plan provides the strategy and procedures to handle an information security incident.  This Plan provides a general framework, but each incident is unique.  

Purpose

Rise Vision seeks to prevent threats to the privacy and personal data of our employees, clients and partners. No data protection regimen is perfect, however, and incidents and breaches occur.  This Plan provides the framework for determining the nature and scope of such incidents, and the steps to take in response to them. 

Scope

This Plan is based on NIST 800-61 and covers all Rise Vision IT Systems and any systems or Devices that have Confidential Data, including any third-party systems and paper documents.  These systems and Devices include computers, laptops, printers, fax machines, phones, and any other Devices that are part of or connect to the Rise Vision IT Systems

Definitions

Capitalized terms defined in this Policy apply to these Terms:

  1. Personally Identifiable Information (PII) refers to any information about an individual maintained by Rise Vision, including (1) any information that can be used to distinguish or trace an individual’s identity, such as a name, Social Security number, date, and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
  2. Protected Health Information (PHI) means any information, whether oral or recorded in any form or medium, that:
    1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
    2. Relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
  3. Confidential Information means all technical and non-technical information including patent, trade secret, and proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software source documents, and formulae disclosed in writing or orally and includes, without limitation, information concerning research, experimental work, development, design, details, and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, business forecasts, sales, and merchandising, and marketing plans and information disclosed by Rise Vision, Rise Vision affiliates, business partners of Rise Vision or their respective employees, contractors or agents that are designated as confidential or that, given the nature of the information or circumstances surrounding its disclosure, reasonably should be understood to be confidential. The term “Confidential Information” does not apply to: (1) information that is or becomes public knowledge; (2) information that is received from a third party who is under no obligation to keep the information confidential; or (3) information that is individually developed.
  4. Trade Secret refers to any confidential business information which provides Rise Vision a competitive edge. Trade secrets encompass manufacturing or industrial secrets and commercial secrets. 
  5. Critical Data refers to data that is necessary for Rise Vision to maintain or continue its business operations, regardless of whether it is Confidential Data. 
  6. Confidential Data refers to all PII, PHI, Trade Secrets, Critical Data, and Confidential Information in Rise Vision’s possession, custody, or control. 
  7. Operations shall mean the Rise Vision department for controlling and directing the everyday business operations of Rise Vision. 
  8. Contractual Third-Party (CTP) means any third-party entity with access to Rise Vision PII, PHI, or Confidential Information bound by a contract to keep Confidential Data secure and confidential
  9. Coordinator means the COO or their designate
  10. Incident Response Team (IRT) means the Coordinator, and representatives from Legal, Operations, HR, and Finance. 
  11. Device shall mean equipment and other computing hardware, such as computers, servers, smart phones, tablets, laptops, and wearables that connect to or comprise Rise Vision’s IT System.  
  12. Employee means all employees, contractors, consultants, vendors, temporary employees, and other workers at or on behalf of Rise Vision, including all personnel affiliated with third parties.
  13. Security Alert means the system used by Employees or individuals to report a Security Event to Rise Vision
  14. Security Event means any security issue involving or potentially impacting Rise Vision, its operations, its information, or its clients/customers.
  15. Security Incident means actual or reasonably suspected: (i) loss or theft of any Confidential Data; (ii) unauthorized use, disclosure, acquisition of or access to, or other unauthorized process of any Confidential Data; or (iii) unauthorized access to or use of, inability to access, or malicious infection of, Rise Vision IT systems or third-party systems that reasonably may compromise the privacy or confidentiality of Confidential Data. 
  16. IT System all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, paging systems/devices, distributed processing systems, cloud-computing environments, Internet-of-Things (IoT) devices, network attached and computer controlled equipment (i.e., embedded technology), telecommunications resources, audio/visual resources, network environments, telephones, printers, etc. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. 

Procedures

The Coordinator is responsible for overall implementation of this Plan. The Coordinator is the COO or their designee

Reporting a Security Event

Security Events can be reported to Rise Vision by sending an email to security@risevision.com with a minimum of the following information:

  • What Confidential Data is at issue?
  • When did the incident occur?
  • How did the incident occur?
  • How did you discover the incident?
  • When did you discover the incident?

Prepare For Incidents

Training

Appropriate training will be provided by the COO to all Incident Response Team members and other appropriate staff on at least an annual basis. Training will be audited by the Legal and the Coordinator.  

Testing and Reporting

At least annually, the COO will test this Plan in preparation for Security Incidents. The IRT will review and document, using a template created for such purposes, Rise Vision’s response to any tests and actual Security Incidents. 

Incident Response Plan

The Incident Response Plan is comprised of six phases; (1) Incident Reporting; (2) Incident Classification; (3) Containment; (4) Investigation; (5) Remediation; and (6) Root Cause Analysis. 

Incident Reporting

Any Employee who becomes aware of a potential or actual Security Event will promptly report the incident according to the Report a Security Event procedure described above. Legal and the Coordinator should evaluate all reported Security Events to determine if the reported event constitutes a Security Incident. Security Events that may constitute a Security Incident include, but are not limited to:

  • Loss or theft of media or Device containing Confidential Data
  • Unauthorized access, viewing, downloading, copying, use, or disclosure of Confidential Data
  • Accidental disclosure or transmission (in any medium) of Confidential Data
  • Improperly set permissions for access to Confidential Data within Rise Vision or Contractual Third-Party systems (to the extent contractual third-party systems contain or provide access to Confidential Data owned or maintained by Rise Vision)
  • Compromise of an Employee’s login information that permits access to Rise Vision or supplier systems
  • A vulnerability in the security of a Rise Vision or a Contractual Third-Party system, regardless of whether the vulnerability results in unauthorized access to Confidential Data
  • Malicious intrusion into Rise Vision or a Contractual Third-Party systems (e.g., hacker, denial-of-service or virus)
  • An incident that compromises the technologies, processes, or practices designed to protect Rise Vision or a Contractual Third-Party system from attack, damage, or unauthorized access (e.g., a breach of an authentication application that Rise Vision uses to manage access to Confidential Data)
  • Unusual fluctuation or interruption in Rise Vision services (e.g., employee payroll), system or network performance, unrelated to system maintenance or other planned events, that significantly affects applications that contain or permit access to Confidential Data)
  • Any other event that may compromise confidentiality, security, integrity, or availability of Confidential Data

Incident Classification

The Coordinator, in conjunction with Operations and other appropriate personnel, reviews the known details of the incident and defines the initial Threat Level and assembles the Incident Response Team. When necessary, the Coordinator will consult with Operations and Legal to establish an IRT that is appropriate to respond to a specific incident. 

The Incident Response Team is responsible for containing, investigating and close-out of the incident. The Employees that form an Incident Response Team will vary depending on the classification of the incident, the type of incident, and the information systems and data impacted by the incident. All members of the Incident Response Team will maintain attorney-client privilege with respect to the investigation. 

Containment

Containment is the triage phase where the system associated with the incident is identified, isolated or mitigated to ensure the incident is contained. This phase of the Triage process includes procedures for collecting evidence, escalation and communication to appropriate parties. 

Investigation

Investigation is the phase where the Incident Response Team investigates to identify the underlying root cause and scope of the event;

Remediation

Remediation is the post-incident repair of affected systems, communication and instruction to affected parties, analysis that confirms the threat has been contained and post-mortem summarizing the situation, cause and correction. The determination of whether there are regulatory requirements for reporting the incident will be made at this stage in cooperation with Legal. 

Root Cause Analysis

Close-Out the phase where the Incident Response Team finalizes the Incident Report and provides a written timeline for incorporation of “lessons learned” into future response activities and training. 

Change Log

Effective Date

Modifications

Approved By
29-Jan-2020 version 1 published COO
     
     

 

Related articles