Security Event and Incident Response Procedure
This procedure includes escalation and response expectations. Do not share externally without authorization from the Information Security Officer, COO, CCO, CEO, or legal counsel.
Security Event Definition
A security event is suspicious or concerning activity detected on an IT system that could affect information security, data security, or physical security and that has either happened or been observed by employees, interns, contractors, clients, suppliers, customers, or monitoring systems.
Reporting
- Report security events immediately to the Information Security Officer.
- If the Information Security Officer is unavailable, escalate to the secondary contact listed in Roles and Contacts.
- Do not discuss security events outside Core 12 without permission from the Information Security Officer, COO, CCO, or CEO.
- Follow up with the incident response team if no resolution feedback is received within 3-5 business days.
Same-Day Investigation
All security events discovered by involved users or monitoring systems must be investigated on the same business day they are reported. The reporting person must escalate if they have not received feedback by the end of the business day.
Incident Determination
The Information Security Officer investigates reported events and determines whether there is reason to believe the event exposed Core 12 or clients to data-breach risk. Events with breach risk are classified as security incidents and require a security review.
Supplier-reported events must be treated as security incidents if the risk of a data breach exists.
Incident Response Team
When a security event becomes a security incident, the Information Security Officer assigns an incident response team. The team includes, as applicable:
- Chief Operations Officer
- Information Security Officer
- Human Resources
- Legal
- Client primary contact
- Client legal team
Investigation and Containment
- Perform a full security review of involved users, systems, data, and timelines.
- Determine whether a breach of data is confirmed.
- In crisis situations, identify connected IT systems and the impact of outages or compromise across systems, clients, and data protection obligations.
- Act quickly to contain potential breach spread across IT systems.
- Record the incident in
core12-isms-managementusing the Security Incident issue template.
Confirmed Data Breach
For confirmed data breaches:
- Remove access to affected involved systems and isolate the data.
- Engage cyber-insurance-provided forensic investigators and experts when available.
- Determine how the breach occurred, types of data involved, number of individuals impacted, and root cause.
- Work with legal teams and authorities on official reports and potential prosecution.
- Coordinate with Human Resources, legal, client contacts, and client legal teams before communicating internally, publicly, or to affected individuals.
- Consider regulatory, legal, and contractual obligations before deciding communication timing and content.
- Complete a post-incident review and track corrective actions.
Management Repo Use
- New incidents: Security Incident issue template.
- Closure: Post-Incident Review issue template.
- Related risks: Risk issue template.
- Affected assets/services/apps/personnel/vendors: link records in issue body and project fields.