Hertzler Systems Inc.
Purpose
This security incident response policy is intended to establish controls as well as quick reaction and response to ensure detection of security vulnerabilities and incidents. This document also provides implementation instructions for security incident response, including definitions, procedures, and responsibilities.
Scope
This policy applies to all Users of GS information systems within Hertzler. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by Hertzler (hereinafter referred to as “Users”). This policy must be made readily available to all Users.
Background
A key objective of Hertzler’s Information Security Program is to focus on detecting information security weaknesses and vulnerabilities so that incidents related to GS can be prevented wherever possible. Hertzler is committed to protecting its employees, customers and partners from illegal or damaging actions taken by others, either knowingly or unknowingly. Despite this, incidents may happen; when they do, Hertzler is committed to rapidly responding to them, which may include identifying, containing, investigating, resolving and communicating information related to the incident.
This policy requires that all Users report any perceived or actual information security vulnerability or incident as soon as possible using the contact mechanisms prescribed in this document. In addition, Hertzler employs automated scanning and reporting mechanisms that can be used to identify possible information security vulnerabilities and incidents. If a vulnerability is identified, it must be resolved within a set period of time based on its severity. If an incident is identified, it must be investigated within a set period of time based on its severity. If an event is identified, it must be resolved within a set period of time based on its severity.
Within this document, the following definitions apply:
- Information Security Vulnerability:
A vulnerability in an information system, information system security procedures or administrative controls that could be exploited to gain unauthorized access to information or to disrupt critical processing. - Information Security Incident:
A suspected, attempted, successful or imminent threat of unauthorized access, use, disclosure, breach, modification or destruction of information; interference with information technology operations; or significant violation of information security policy. - Information Security Event:
An occurrence or change in the normal behavior of systems, networks or services that may impact security and organizational operations (e.g., possible compromise of policies or failure of controls).
Roles and Responsibilities
The Cloud Product Manager is responsible for updating, reviewing and maintaining this policy.
Policy
- All Users must report any system vulnerability, incident or event pointing to a possible incident to the Cloud Product Manager as quickly as possible but no later than 48 hours after discovery.
- Incidents must be reported by sending an email message to security@hertzler.com with details of the incident.
- Users must have access to the procedures for reporting information security incidents or discovered vulnerabilities, and their responsibilities to report such incidents. Employees must be informed of the proper procedures and their reporting responsibilities.
- Information and artifacts associated with security incidents (including but not limited to files, logs and screen captures) must be preserved appropriately in the event that they need to be used as evidence of a crime.
- All information security incidents must be handled following the incident management procedures defined below.
Periodic Evaluation
It is important to note that the processes surrounding security incident response should be periodically reviewed and evaluated for effectiveness. This also involves employees reviewing this policy and appropriate training of personnel expected to respond to security incidents. The incident response plan is tested annually.
Procedure For Establishing Incident Response System
- Define on-call schedules of qualified individuals, assigning who will be responsible for managing incident response procedures during each availability window. This is the same schedule as for the Disaster Response Plan.
- The on-call individual will be notified of any potential security incident through emails sent to security@hertzler.com.
- Distribute Procedure For Executing Incident Response to all staff and ensure up-to-date versions are accessible in a dedicated company resource.
- Require all employees to review Procedure For Executing Incident Response at least once per year.
Procedure For Executing Incident Response
- When an information security incident is identified or detected, Users must notify the Cloud Product Manager
within 48 hours. The following information must be included as part of the notification:
-
- Description of the incident
- Date and time of the incident
- Person who discovered the incident
- How the incident was discovered
- Known evidence of the incident
- Affected system(s)
- Within 48 hours of the incident being reported, the Cloud Product Manager shall conduct or assign a developer to conduct a preliminary investigation and risk assessment to review and confirm the details of the incident. If the incident is confirmed, the Cloud Product Manager or assigned developer must assess the impact to Hertzler and assign a severity level, which will determine the level of remediation effort required:
-
- High: the incident is potentially catastrophic to Hertzler and/or disrupts Hertzler’s day-to-day operations; a violation of legal, regulatory or contractual requirements is likely.
- Medium: the incident will cause harm to one or more business units within Hertzler and/or will cause delays to a business unit’s activities.
- Low: the incident is a clear violation of organizational security policy, but will not substantively impact the business.
- The Cloud Product Manager or assigned developer shall determine appropriate incident response activities in order to contain and resolve incidents.
- The Cloud Product Manager must take all necessary steps to preserve forensic evidence (e.g. log information, files, images) for further investigation to determine if any malicious activity has taken place. The collection of evidence will be managed by appropriate members with proper understanding of the system(s) affected. If deemed necessary, certified third-party professionals will be used. All gathered forensic information must be preserved and provided to law enforcement if the incident is determined to be malicious.
- If the incident is deemed as High or Medium, the Cloud Product Manager must work with HLT to determine need and extent of communication required, and then create and execute a plan to communicate the incident to any affected Users.
- The Cloud Product Manager or assigned developer must take all necessary steps to resolve the incident and recover information systems, data and connectivity. All technical steps taken during an incident must be documented in Hertzler’s incident log, and must contain the following:
-
- Description of the incident
- Incident severity level
- Root cause (e.g. source address, website malware, vulnerability)
- Evidence
- Mitigations applied (e.g. patch, re-image)
- Status (open, fixed or risk accepted)
- Disclosures (parties to which the details of this incident were disclosed to, such as customers, vendors, law enforcement, etc.)
- After an incident has been resolved, the Development Department must conduct a post-mortem that includes root cause analysis and documentation of any lessons learned.
- Depending on the severity of the incident, the Chief Executive Officer (CEO) may elect to contact external authorities, including but not limited to law enforcement, private investigation firms and government organizations as part of the response to the incident.
- The Cloud Product Manager must notify all employees of the incident, conduct additional training if necessary and present any lessons learned to prevent future occurrences. Where necessary, the HR Manager must take disciplinary action if an employee’s activity is deemed as malicious.