The specific purpose of this Policy is to ensure consistent management of information security incidents to minimise any harm to individuals or organisations. This Policy is not intended to consider the impact and protection of the Company’s assets from accidents, such as fire, flood, failed hardware or software.
This Policy provides the necessary information for the management and reporting of:
- Security incidents affecting Fine Cut and its IT systems
- Loss of information
- Near misses and information security concerns
This Policy applies to all:
- Employees of Fine Cut, including senior and executive management
- IS Manager, IT Manager or Manager responsible for any element of Fine Cut IT Systems
- Contractors that make use of Fine Cut IT facilities
An information security incident is any event that has the potential to affect the confidentiality, integrity or availability of Fine Cut information in any format. Examples of information security incidents can include, but are not limited to, the following:
- Disclosure of confidential information to unauthorised individuals
- Loss or theft of paper records, data or equipment such as tablets, laptops and smartphones on which data is stored
- Inappropriate access controls allowing unauthorised use of information
- Suspected breach of Fine Cut IT Policy
- Attempts to gain unauthorised access to computer systems, e.g. hacking
- Records altered or deleted without authorisation by the data “owner”
- Virus or other security attack on IT equipment, systems or networks
- Breaches of physical security e.g. the forcing of doors or windows into a secure room, or opening filing cabinets containing confidential information left unlocked in an accessible area
- Leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing information
- Covert or unauthorised recording of meetings and presentations
Lines of Responsibility
All users who are given access to Fine Cut information, IT and communications facilities are responsible for reporting any actual or potential breach of information security promptly in line with Reporting an Incident.
All users are responsible for identifying risk to information security and ensuring that it is reported accordingly. The user reporting the incident, or appropriate person, may then be asked to assist with investigating and mitigating the risk. Any breach should be reported immediately.
Company directors are responsible for leading the activity required to respond to an incident. Activities include reporting to the Data Protection Co-ordinator, investigating and taking appropriate action to address breaches of IT systems and network security, and for escalating incidents.
Data Protection Co-ordinator is responsible for ensuring that new systems meet the requirements of GDPR and therefore have had information security considered during deployment and on-going management. Has responsibility for ensuring that reporting to relevant people in the business and appropriate actions are taken to address breaches. May be required to report breaches to third parties.
Account Managers are responsible for reporting any breaches to affected customers or third parties.
Review of Policy
Company directors are responsible for reviewing the Information Security Incident Management Policy annually or after any serious and significant breach.
Reporting an Incident
When an incident is reported it will be entered into the Company’s call logging system. The breach will be categorised as follows:
Serious breach includes, but not limited to, loss or potential loss of personal data about a Fine Cut employee, customer or supplier and/or the transfer of personal data to unauthorised third parties.
Significant breach includes, but not limited to, loss or potential loss of non-personal customer data that Fine Cut host.
Other breach includes, but not limited to, loss or potential loss of non-personal data.
If the breach is categorised as ‘serious’ or ‘significant’ the Company’s directors will be informed. All information security breaches are reported to the Data Protection Co-ordinator. If necessary, the Data Protection Co-ordinator will report the breach to the relevant Fine Cut Account Manager who will then inform their affected customer.
Acting on an Incident
All parties dealing with security incidents shall undertake to:
- Analyse and establish the cause of the incident and take any necessary steps to prevent recurrence;
- Report to all affected parties and maintain communication and confidentiality throughout investigation of the incident;
- Identify problems caused as a result of the incident and to prevent or reduce further impact;
- Contact third parties to resolve errors/faults in software and to liaise with the relevant departmental personnel to ensure contractual agreements and legal requirements are maintained and to minimise potential disruption to other Fine Cut systems and services;
- Ensure all system logs and records are securely maintained and available to authorised personnel when required;
- Ensure only authorised personnel have access to systems and data;
- Ensure all documentation and notes are accurately maintained and recorded in the Company’s Service Desk system and are made available to relevant authorised personnel;
- Ensure all authorised corrective and preventative measures are implemented and monitored for effectiveness;
- The Data Protection Co-ordinator will maintain a log of all security breaches;
- Serious incidents will be presented to Company directors;
- Serious breaches will need to be reported to the Information Commissioner by the Data Protection Co-ordinator;
- All incidents logged within the Company’s Service Desk system shall have all details of the incident recorded including any action/resolution, links or connections to other known incidents. Incidents which were initially resolved but have recurred will be reopened or a new call referencing the previous one will be created;
- During the incident investigations, hardware, logs and records may be analysed by Fine Cut internal Audit function. Information and data may be gathered as evidence to support possible disciplinary or legal action. It is essential that confidentiality is maintained at all times during these investigations.