Computer Security Incident Response Policy
This policy defines the requirements for reporting and responding to incidents related to Studyo information systems and operations.
This policy applies to all employees and partners of Studyo entities including, but not limited to, business units and subsidiaries.
Computer Emergency Response Plans
Studyo management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.
Incident Response Plan Contents
The Studyo incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include:
- Specific incident response procedures.
- Business recovery and continuity procedures.
- Data backup processes.
- Analysis of legal requirements for reporting compromises.
- Identification and coverage for all critical system components.
- Reference or inclusion of incident response procedures from relevant external partners, e.g., payment card issuers, suppliers.
Security Incident Response Team
Security Incident Response Team
Studyo management must organize and maintain an in-house Security Incident Response Team or be in contact with a third-party offering security response services that can provide accelerated problem notification, damage control, and problem correction services in the event of computer-related emergencies such as virus infestations and hacker break-ins.
Computer Incident Response Team Availability
The Studyo Security Incident Response Team must always be available to respond to alerts that include, but are not limited to, evidence of unauthorized activity, detection of unauthorized wireless access points, critical intrusion detection alerts, and reports of unauthorized critical systems or content file changes.
Roles and Responsibilities
Incident Management Responsibilities
The individuals responsible for handling information systems security incidents must be clearly defined by the CTO. These individuals must be given the authority to define the procedures and methodologies that will be used to handle specific security incidents.
Designated Contact Person for All Disasters and Security Events
Unless expressly recognized as an authorized spokesperson for Studyo, no worker may speak with the press or any other outside parties about the current status of a disaster, an emergency, or a security event that has been recently experienced.
Providing Information in Legal Proceedings
Workers are prohibited from providing any Studyo records, or any copies thereof, to third parties outside of Studyo or to government officials, whether in answer to a subpoena or otherwise, unless the prior permission of the Studyo management has first been obtained. Likewise, workers are prohibited from testifying to facts coming to their knowledge while performing in their official Studyo capacities unless the prior permission of the Studyo management has first been obtained.
Incident Response and Recovery
Intrusion Response Procedures
The IT Department must document and periodically revise intrusion response procedures. These procedures must include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.
Information Security Problem Resolution
All information security problems must be handled with the involvement and cooperation of information security staff, the Studyo Management, or others who have been authorized by the Studyo Management.
Security Changes After System Compromise
Whenever a system has been compromised, or suspected of being compromised by an unauthorized party, System Administrators must immediately reload a trusted version of the operating system and all security-related software, and all recent changes to user and system privileges must be reviewed for unauthorized modifications.
Suspected System Intrusions
Whenever a system is suspected of compromise, the involved computer must be immediately removed from all networks, and predetermined procedures followed to ensure that the system is free of compromise before reconnecting it to the network.
Unauthorized Access Problems
Whenever unauthorized system access is suspected or known to be occurring, Studyo personnel must take immediate action to terminate the access or request assistance from the CTO.
Internal Investigations Information Confidentiality
Until charges are pressed or disciplinary action taken, all investigations of alleged criminal or abusive conduct must be kept strictly confidential to preserve the reputation of the suspected party.
Legal Proceeding Participation
Any Studyo worker called by a subpoena or in any other manner called to appear or testify before a judicial board or government agency must immediately notify the chief legal counsel in writing about the call.
Monitoring and Recording Usage of Shared Computing Resources
The usage of all Studyo shared computing resources employed for production activities must be continuously monitored and recorded. This usage history data must in turn be provided in real time to those security alert systems designated by the IT Department (intrusion detection systems, virus detection systems, spam detection systems, etc.).
Reporting Information Security Events
All suspected information security incidents must be reported as quickly as possible through the approved Studyo internal channels.
Information Security Alert System
The Security Department must establish, maintain, and periodically test a communications system permitting workers to promptly notify appropriate staff about suspected information security problems.
Violation and Problem Reporting Alternatives
Studyo workers must immediately report all suspected information security problems, vulnerabilities, and incidents to either their immediate manager.
Violation and Problem Reporting Protection
Studyo will protect workers who report in good faith what they believe to be a violation of laws or regulations, or conditions that could jeopardize the health or safety of other workers. This means that such workers will not be terminated, threatened, or discriminated against because they report what they perceive to be a wrongdoing or dangerous situation.
Violation and Problem Reporting Identity
Workers who report to the IT Department a security problem, vulnerability, or an unethical condition within Studyo may, at their sole discretion, have their identity held in strict confidence. This means that the whistleblower's immediate supervisor, other members of the management team, as well as other Studyo workers who are not directly involved in the receipt of the report, will not be given the whistleblower's identity.
Events to Report
Off-Site Systems Damage and Loss
Workers must promptly report to their manager any damage to or loss of Studyo computer hardware, software, or information that has been entrusted to their care.
System Alerts and Warnings
Users must promptly report all information security alerts, warnings, suspected vulnerabilities, and the like to the Information Systems Help Desk. Users are prohibited from utilizing Studyo systems to forward such information to other users, whether the other users are internal or external to Studyo.
Users of Studyo information systems must immediately report to the IT Department Manager any unauthorized loss of, or changes to computerized production data. Any questionable usage of files, databases, or communications networks must likewise be immediately reported to the same manager.
Unexpected Requests for Log-in Information
Other than the regular and expected Studyo login screens, users must be suspicious of all pop-up windows, web sites, instant messages, and other requests for a Studyo user ID and password. Users encountering these requests must refrain from providing their Studyo user ID and password, as well as promptly report the circumstances to the Help Desk.
Missing Access Devices
Identification badges and physical access cards that have been lost or stolen--or are suspected of being lost or stolen--must be reported to the IT Department immediately. Likewise, all computers or communication system access tokens (smart cards with dynamic passwords, telephone credit cards, etc.) that have been lost or stolen--or are suspected of being lost or stolen--must be reported immediately.
Unintended Sensitive Information Disclosures
Unintended disclosures of sensitive Studyo information are serious matters, and they must all be immediately reported to both the Chief Legal Counsel and the IT Department Manager. Such reporting must take place whenever such a disclosure is known to have taken place, or whenever there is a reasonable basis to believe that such a disclosure has taken place.
All apparent software malfunctions must be immediately reported to line management or the information system service provider.
Unauthorized Wireless Access Points
If an unauthorized wireless access point is detected on the Studyo network, the Computer Incident Response Team must be notified.
Reporting to Third Parties
External Violation Reporting
Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with representatives from the Legal Department and the IT Department must weigh the pros and cons of external disclosure before reporting these violations.
Reporting Suspected Security Breaches to Third Parties
If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation.
Loss or Disclosure of Sensitive Information
If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its owner and the IT Department must be notified immediately.
System Vulnerability Exploitation and Victim Data
Studyo staff must not publicly disclose information about the individuals, organizations, or specific systems that have been damaged by computer crimes and computer abuses. Likewise, the specific methods used to exploit certain system vulnerabilities must not be disclosed publicly.
Vendor Vulnerability Disclosure
If a serious information system vulnerability is discovered by Studyo workers, and the vulnerability can be directly traced to a weakness in a certain vendor's hardware and/or software, then that vendor must promptly and confidentially be notified of the problem.
Contact with Authorities
Criminal Justice Community Contact
Technical information systems staff must not contact the police or other members of the criminal justice community about any information systems problems unless they have received permission from Studyo management.
Law Enforcement Inquiries
Even if the requesting party alleges to be a member of the law enforcement community, Studyo workers must not reveal any internal Studyo information through any communications mechanism unless they have established the authenticity of the individual’s identity and the legitimacy of the inquiry.
Contacting Law Enforcement
Every decision about the involvement of law enforcement with information security incidents or problems must be made by a Studyo senior partner. Likewise, every contact informing law enforcement about an information security incident or problem must be initiated by the IT Department Manager.
Requests to Cooperate in Investigations
Studyo workers must immediately report every request to participate in an information security investigation to the Chief Legal Counsel. Any sort of cooperation with the requesting party is prohibited until such time that the Chief Legal Counsel has determined that the participation is legal, is unlikely to cause problems for Studyo, and is requested by an authorized party.
Data Breach Management
Data Breach Response Plan Required
Studyo management must prepare, test and annually update a Data Breach Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.
Incident Response Plan Evolution - Lessons Learned
The incident response plan must be updated to reflect the lessons learned from actual incidents.
Incident Response Plan Evolution - Industry Developments
The incident response plan must be updated to reflect developments in the industry.
Violation and Problem Analysis
An annual analysis of reported information security problems and violations must be prepared by the IT Department.
Collection of Evidence
Computer Crime or Abuse Evidence
To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be immediately captured whenever a computer crime or abuse is suspected. The information to be immediately collected includes the current system configuration as well as backup copies of all potentially involved files.
The relevant information for computer investigation must then be securely stored off-line until official custody is given to another authorized person or the chief legal counsel determines that Studyo will no longer need the information.
Sources of Digital Evidence
For every production computer system, the IT Department must identify the sources of digital evidence that reasonably could be expected to be used in a court case. These sources of evidence must then be subject to a standardized capture, retention, and destruction process comparable to that used for vital records.
Responsibility for Electronic Evidence Production
Studyo will appoint a single individual responsible for coordinating the discovery and presentation of electronic evidence that may be required to support litigation.
Studyo data that may be considered electronic evidence must be classified as CONFIDENTIAL and viewed only by authorized representatives of the Security Incident Response Team or approved third parties involved in the investigation.
Investigation and Forensics
Computer Crime Investigation
Whenever evidence clearly shows that Studyo has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that management can take steps to ensure that (1) such incidents will not be likely to take place again, and (2) effective security measures have been re-established.
Forensic Analysis Process
Every analysis or investigation using data storage media that contains information that might at some point become important evidence to a computer crime or computer abuse trial must be performed with a copy rather than the original version. This will help to prevent unexpected modification to the original information.
Investigation Status Reports
The status of information security investigations must be communicated to management only by the lead investigator or the management representative of the investigation team.
Computer Crime Investigation Information
All evidence, ideas, and hypotheses about computer crimes experienced by Studyo, including possible attack methods and perpetrator intentions, must be communicated to the Chief Legal Counsel and treated as restricted and legally privileged information.
Information Security Investigations
All Studyo internal investigations of information security incidents, violations, and problems, must be conducted by trained staff authorized by the IT Department Manager.
Information Security Investigation Teams
Any person who personally knows the suspects, or who is friendly with them, for conflict of interest reasons is barred from participating on an information security incident investigation team.
Intrusion Investigations Details
Details about investigations of information system intrusions that may be still underway must not be sent via electronic mail. Likewise, to prevent such information from falling into the hands of intruders, files which describe an investigation now underway must not be stored on potentially compromised systems or anywhere on a related network where they could be reasonably expected to be viewed by intruders.
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Studyo reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Studyo does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Studyo reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
- Partner: Any non-employee of Studyo who is contractually bound to provide some form of service to Studyo.
- Password: An arbitrary string of characters chosen by a user that is used to authenticate the user when he attempts to log on, in order to prevent unauthorized access to his account.
- System Administrator: An employee or partner who is responsible for managing a Studyo multi-user computing environment. The responsibilities of the system administrator typically include installing and configuring system hardware and software, establishing and managing user accounts, upgrading software and backup and recovery tasks.
- User: Any Studyo employee or partner who has been authorized to access any Studyo electronic information resource.
- ISO/IEC 27002: 16.0 Information Security Incident Management
- NIST: Incident Response (IR)
- HIPAA: Security Incident Procedures 164.308(a)(6)
- PCI-DSS: 12.10 Incident Response Plan