Computer Security Incident Response Policy


This policy defines the requirements for reporting and responding to incidents related to Studyo information systems and operations.


This policy applies to all employees and partners of Studyo entities including, but not limited to, business units and subsidiaries.


Program Organization

Computer Emergency Response Plans

Studyo management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.

Incident Response Plan Contents

The Studyo incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include:

Security Incident Response Team

Security Incident Response Team

Studyo management must organize and maintain an in-house Security Incident Response Team or be in contact with a third-party offering security response services that can provide accelerated problem notification, damage control, and problem correction services in the event of computer-related emergencies such as virus infestations and hacker break-ins.

Computer Incident Response Team Availability

The Studyo Security Incident Response Team must always be available to respond to alerts that include, but are not limited to, evidence of unauthorized activity, detection of unauthorized wireless access points, critical intrusion detection alerts, and reports of unauthorized critical systems or content file changes.

Roles and Responsibilities

Incident Management Responsibilities

The individuals responsible for handling information systems security incidents must be clearly defined by the CTO. These individuals must be given the authority to define the procedures and methodologies that will be used to handle specific security incidents.

Designated Contact Person for All Disasters and Security Events

Unless expressly recognized as an authorized spokesperson for Studyo, no worker may speak with the press or any other outside parties about the current status of a disaster, an emergency, or a security event that has been recently experienced.

Providing Information in Legal Proceedings

Workers are prohibited from providing any Studyo records, or any copies thereof, to third parties outside of Studyo or to government officials, whether in answer to a subpoena or otherwise, unless the prior permission of the Studyo management has first been obtained. Likewise, workers are prohibited from testifying to facts coming to their knowledge while performing in their official Studyo capacities unless the prior permission of the Studyo management has first been obtained.

Incident Response and Recovery

Intrusion Response Procedures

The IT Department must document and periodically revise intrusion response procedures. These procedures must include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.

Information Security Problem Resolution

All information security problems must be handled with the involvement and cooperation of information security staff, the Studyo Management, or others who have been authorized by the Studyo Management.

Security Changes After System Compromise

Whenever a system has been compromised, or suspected of being compromised by an unauthorized party, System Administrators must immediately reload a trusted version of the operating system and all security-related software, and all recent changes to user and system privileges must be reviewed for unauthorized modifications.

Suspected System Intrusions

Whenever a system is suspected of compromise, the involved computer must be immediately removed from all networks, and predetermined procedures followed to ensure that the system is free of compromise before reconnecting it to the network.

Unauthorized Access Problems

Whenever unauthorized system access is suspected or known to be occurring, Studyo personnel must take immediate action to terminate the access or request assistance from the CTO.

Internal Investigations Information Confidentiality

Until charges are pressed or disciplinary action taken, all investigations of alleged criminal or abusive conduct must be kept strictly confidential to preserve the reputation of the suspected party.

Legal Proceeding Participation

Any Studyo worker called by a subpoena or in any other manner called to appear or testify before a judicial board or government agency must immediately notify the chief legal counsel in writing about the call.

Event Monitoring

Monitoring and Recording Usage of Shared Computing Resources

The usage of all Studyo shared computing resources employed for production activities must be continuously monitored and recorded. This usage history data must in turn be provided in real time to those security alert systems designated by the IT Department (intrusion detection systems, virus detection systems, spam detection systems, etc.).

Reporting Information Security Events

Incident Reporting

All suspected information security incidents must be reported as quickly as possible through the approved Studyo internal channels.

Information Security Alert System

The Security Department must establish, maintain, and periodically test a communications system permitting workers to promptly notify appropriate staff about suspected information security problems.

Violation and Problem Reporting Alternatives

Studyo workers must immediately report all suspected information security problems, vulnerabilities, and incidents to either their immediate manager.

Violation and Problem Reporting Protection

Studyo will protect workers who report in good faith what they believe to be a violation of laws or regulations, or conditions that could jeopardize the health or safety of other workers. This means that such workers will not be terminated, threatened, or discriminated against because they report what they perceive to be a wrongdoing or dangerous situation.

Violation and Problem Reporting Identity

Workers who report to the IT Department a security problem, vulnerability, or an unethical condition within Studyo may, at their sole discretion, have their identity held in strict confidence. This means that the whistleblower's immediate supervisor, other members of the management team, as well as other Studyo workers who are not directly involved in the receipt of the report, will not be given the whistleblower's identity.

Events to Report

Off-Site Systems Damage and Loss

Workers must promptly report to their manager any damage to or loss of Studyo computer hardware, software, or information that has been entrusted to their care.

System Alerts and Warnings

Users must promptly report all information security alerts, warnings, suspected vulnerabilities, and the like to the Information Systems Help Desk. Users are prohibited from utilizing Studyo systems to forward such information to other users, whether the other users are internal or external to Studyo.

Unauthorized Activity

Users of Studyo information systems must immediately report to the IT Department Manager any unauthorized loss of, or changes to computerized production data. Any questionable usage of files, databases, or communications networks must likewise be immediately reported to the same manager.

Unexpected Requests for Log-in Information

Other than the regular and expected Studyo login screens, users must be suspicious of all pop-up windows, web sites, instant messages, and other requests for a Studyo user ID and password. Users encountering these requests must refrain from providing their Studyo user ID and password, as well as promptly report the circumstances to the Help Desk.

Missing Access Devices

Identification badges and physical access cards that have been lost or stolen--or are suspected of being lost or stolen--must be reported to the IT Department immediately. Likewise, all computers or communication system access tokens (smart cards with dynamic passwords, telephone credit cards, etc.) that have been lost or stolen--or are suspected of being lost or stolen--must be reported immediately.

Unintended Sensitive Information Disclosures

Unintended disclosures of sensitive Studyo information are serious matters, and they must all be immediately reported to both the Chief Legal Counsel and the IT Department Manager. Such reporting must take place whenever such a disclosure is known to have taken place, or whenever there is a reasonable basis to believe that such a disclosure has taken place.

Software Malfunctions

All apparent software malfunctions must be immediately reported to line management or the information system service provider.

Unauthorized Wireless Access Points

If an unauthorized wireless access point is detected on the Studyo network, the Computer Incident Response Team must be notified.

Reporting to Third Parties

External Violation Reporting

Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with representatives from the Legal Department and the IT Department must weigh the pros and cons of external disclosure before reporting these violations.

Reporting Suspected Security Breaches to Third Parties

If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation.

Loss or Disclosure of Sensitive Information

If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its owner and the IT Department must be notified immediately.

System Vulnerability Exploitation and Victim Data

Studyo staff must not publicly disclose information about the individuals, organizations, or specific systems that have been damaged by computer crimes and computer abuses. Likewise, the specific methods used to exploit certain system vulnerabilities must not be disclosed publicly.

Vendor Vulnerability Disclosure

If a serious information system vulnerability is discovered by Studyo workers, and the vulnerability can be directly traced to a weakness in a certain vendor's hardware and/or software, then that vendor must promptly and confidentially be notified of the problem.

Contact with Authorities

Criminal Justice Community Contact

Technical information systems staff must not contact the police or other members of the criminal justice community about any information systems problems unless they have received permission from Studyo management.

Law Enforcement Inquiries

Even if the requesting party alleges to be a member of the law enforcement community, Studyo workers must not reveal any internal Studyo information through any communications mechanism unless they have established the authenticity of the individual’s identity and the legitimacy of the inquiry.

Contacting Law Enforcement

Every decision about the involvement of law enforcement with information security incidents or problems must be made by a Studyo senior partner. Likewise, every contact informing law enforcement about an information security incident or problem must be initiated by the IT Department Manager.

Requests to Cooperate in Investigations

Studyo workers must immediately report every request to participate in an information security investigation to the Chief Legal Counsel. Any sort of cooperation with the requesting party is prohibited until such time that the Chief Legal Counsel has determined that the participation is legal, is unlikely to cause problems for Studyo, and is requested by an authorized party.

Data Breach Management

Data Breach Response Plan Required

Studyo management must prepare, test and annually update a Data Breach Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.

Incident Review

Incident Response Plan Evolution - Lessons Learned

The incident response plan must be updated to reflect the lessons learned from actual incidents.

Incident Response Plan Evolution - Industry Developments

The incident response plan must be updated to reflect developments in the industry.

Violation and Problem Analysis

An annual analysis of reported information security problems and violations must be prepared by the IT Department.

Collection of Evidence

Computer Crime or Abuse Evidence

To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be immediately captured whenever a computer crime or abuse is suspected. The information to be immediately collected includes the current system configuration as well as backup copies of all potentially involved files.

Evidence Storage

The relevant information for computer investigation must then be securely stored off-line until official custody is given to another authorized person or the chief legal counsel determines that Studyo will no longer need the information.

Sources of Digital Evidence

For every production computer system, the IT Department must identify the sources of digital evidence that reasonably could be expected to be used in a court case. These sources of evidence must then be subject to a standardized capture, retention, and destruction process comparable to that used for vital records.

Responsibility for Electronic Evidence Production

Studyo will appoint a single individual responsible for coordinating the discovery and presentation of electronic evidence that may be required to support litigation.

Information Classification

Studyo data that may be considered electronic evidence must be classified as CONFIDENTIAL and viewed only by authorized representatives of the Security Incident Response Team or approved third parties involved in the investigation.

Investigation and Forensics

Computer Crime Investigation

Whenever evidence clearly shows that Studyo has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that management can take steps to ensure that (1) such incidents will not be likely to take place again, and (2) effective security measures have been re-established.

Forensic Analysis Process

Every analysis or investigation using data storage media that contains information that might at some point become important evidence to a computer crime or computer abuse trial must be performed with a copy rather than the original version. This will help to prevent unexpected modification to the original information.

Investigation Status Reports

The status of information security investigations must be communicated to management only by the lead investigator or the management representative of the investigation team.

Computer Crime Investigation Information

All evidence, ideas, and hypotheses about computer crimes experienced by Studyo, including possible attack methods and perpetrator intentions, must be communicated to the Chief Legal Counsel and treated as restricted and legally privileged information.

Information Security Investigations

All Studyo internal investigations of information security incidents, violations, and problems, must be conducted by trained staff authorized by the IT Department Manager.

Information Security Investigation Teams

Any person who personally knows the suspects, or who is friendly with them, for conflict of interest reasons is barred from participating on an information security incident investigation team.

Intrusion Investigations Details

Details about investigations of information system intrusions that may be still underway must not be sent via electronic mail. Likewise, to prevent such information from falling into the hands of intruders, files which describe an investigation now underway must not be stored on potentially compromised systems or anywhere on a related network where they could be reasonably expected to be viewed by intruders.


Any violation of this policy may result in disciplinary action, up to and including termination of employment. Studyo reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Studyo does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Studyo reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.