SSAFA Volunteer Knowledgebase

Incident Response Policy

Updated on

This Incident Response Policy outlines the measures and protocols that our organisation will follow to identify, manage, and mitigate IT security incidents. It aims to minimise the impact of such incidents on our operations, safeguard our assets, and ensure compliance with regulatory requirements.

Scope

This policy applies to all employees, volunteers, contractors, and third-party vendors who have access to our information systems and networks. It encompasses all IT or cyber related incidents that may affect the confidentiality, integrity, or availability of our data and services.

Objectives

  • To establish a structured approach for responding to IT incidents.
  • To ensure timely detection and containment of incidents to limit their impact.
  • To facilitate effective communication and coordination during incident response.
  • To identify the root cause of incidents and implement measures to prevent recurrence.
  • To maintain comprehensive documentation and evidence for legal and regulatory compliance.

Incident Response Team (IRT)

  • Team Composition: The IRT will consist of designated IT security personnel, system administrators, and representatives from DG, HR, and FMC directorates.
  • Roles and Responsibilities: Each team member will have defined roles and responsibilities, including incident detection, analysis, communication, and coordination. Roles may vary depending on incident severity, for example, more senior staff coordinating in the event of a significant incident.

Incident Classification

Incidents will be classified based on their severity and impact on the organisation. Typically these will be logged in the IT helpdesk. The categories include:

  • Critical: Incidents causing significant disruption, data breaches, or legal implications.
  • High: Incidents affecting essential services or leading to potential data loss.
  • Medium: Incidents causing moderate disruption or requiring immediate attention.
  • Low: Minor incidents with limited impact.

Incident Response Process

The incident response process involves the following key stages:

1. Preparation
  • Develop and maintain incident response procedures.
  • Conduct regular security assessments and penetration testing.
  • Maintain up-to-date contact information for key persons.
2. Identification
  • Monitor networks and systems for suspicious activities.
  • Report incidents through defined channels.
  • Verify and classify incidents based on severity.
3. Containment
  • Implement measures to contain the incident and prevent further damage.
  • Isolate affected systems or networks to maintain operational integrity.
  • Document containment actions taken.
4. Eradication
  • Identify the root cause of the incident.
  • Remove malicious software, unauthorised access, and vulnerabilities.
  • Validate the effectiveness of eradication measures.
5. Recovery
  • Restore affected systems and services to normal operations.
  • Monitor systems for any signs of reinfection or residual issues.
  • Ensure all data integrity and security measures are reinstated.
6. Lessons Learned
  • Conduct a post-incident review to analyse the response and identify improvements.
  • Document findings and recommendations for enhancing incident response procedures.
  • Implement corrective actions and update incident response plans.

Communication Plan

Internal Communication
  • Notify relevant stakeholders, including executive management, IT staff, and affected departments.
  • Provide regular updates on incident status and response actions.
External Communication
  • Coordinate with legal and communications teams for external notifications.
  • Notify regulatory bodies, customers, and partners as required.
  • Issue public statements to maintain transparency and trust.

Incident Documentation

Maintain comprehensive records of all incidents on the IT helpdesk, including:

  • Incident detection and classification details.
  • Actions taken during each stage of the response process.
  • Communication logs and notifications.
  • Evidence collected for forensic analysis.
  • Post-incident review findings and recommendations.

Policy Review and Updates

This policy will be reviewed and updated annually or following a significant incident to ensure its continued relevance and effectiveness. Feedback from incident response activities and industry best practices will inform the policy updates.

Compliance and Enforcement

All employees, contractors, and third-party vendors must comply with this policy. Non-compliance may result in disciplinary actions, including termination of employment or contracts.

Incident Response at a High Level

Immediate Actions

  • Report the incident.
  • Assess the incident severity and initiate the response process.
  • Contain the incident to prevent further damage.
  • Validate the incident is an incident and not a false positive, always aiming to err on the side of caution.
  • Gather and preserve evidence for further analysis.

Containment and Eradication

  • Identify and isolate affected systems and networks.
  • Remove malicious software and unauthorised access.
  • Conduct a thorough investigation to determine the root cause.

Recovery and Restoration

  • Restore systems and services to normal operations.
  • Validate data integrity and security measures.
  • Monitor for any signs of reinfection or residual issues.

Post-Incident Review

  • Conduct a comprehensive review of the incident response.
  • Document findings and recommendations for improvement.
  • Update incident response plans and procedures based on lessons learned.
Previous Article IT Policy
Next Article Vetting Check Guidance

SSAFA Policies & Guidance

SSAFA Policies 42
Vetting Guidance 2
Volunteer Policies 12

Other Resources

Print Article