Form 172.5A Incident Response Plan for Threats to Information Security
The purpose of this plan is to respond to advanced and/or persistent threats to information security that have, or could result in, an economic loss or other damage to our customers, our business or our reputation. The goal of the plan is to minimize damage to customers and our business through containment of an incident and the restoration of systems affected.
All staff will receive training on what constitutes a threat to information security and action to take in the event they suspect or learn that an advanced persistent threat has occurred. This document is intended to meet the highest standards and is an active part of our Business Continuity Program.
Form 172.5B Information Security Threat Response Form on page 3, Form 172.5C Sample Customer Notification Letter on page 18, and Form 172.5D Notification Log on page 20 are essential parts of this document and designed to be used in conjunction with this plan.
Responsibilities taken in response to a compromise of information security are included in the Form 172.5B Information Security Threats Response Form. The Insert name and title
is responsible for completing Form 172.5B Information Security Threats Response Form in order to document and guide response activities and assuring that all notifications are included in Form 172.5D Notification Log.
2.Incident Response Team
The Incident Response Team is composed of the following individuals
Team membership may be increased based on circumstances and, if necessary to meet, the team will meet as soon as possible after an incident is discovered or reported. The team will also meet annually to review and recommend approval of the Plan to the board of directors.
The Incident Response Team is responsible for
- conducting security awareness training among employees,
- seeing that penetration testing is done,
- serving as liaison with regulators,
- law enforcement and media,
- recommending action to be taken and
- reporting to the board of directors and regulators.
3.Types of Incidents
An incident may or may not involve physical security, information security, electronic security, or network security. An evaluation by the team will determine whether a situation qualifies as an “incident” that requires action to be taken.
Examples of physical security incidents include
- Improper handling of shred bins
- Theft of computers and/or data storage media
- Social engineering.
Examples of information security incidents are
- Violation of a customer’s “opt-out” request
- Unnecessary viewing of employee accounts by another employee
- Unnecessary requests for credit reports.
Examples of electronic security incidents include
- Phishing attacks that target customers
- Unauthorized access to online and/or telephone account systems
- Social engineering (via telephone)
- Unauthorized access to the private branch exchange (PBX) system.
Examples of network security incidents include
- Unauthorized access to the wide area network (hacking)
- Social engineering (via email)
- Unauthorized erasing of system files by an employee
Form 172.5B Information Security Threat Response Form