This policy covers all information security or data privacy events or incidents impacting non-public Company data.
A security event is an observable occurrence relevant to the confidentiality, availability, integrity, or privacy of company-controlled data, systems, or networks.
A security incident is a security event that results in loss or damage to the confidentiality, availability, integrity, or privacy of company-controlled data, systems, or networks.
If a Company employee or contractor becomes aware of an information security event or incident, possible incident, imminent incident, unauthorized access, policy violation, security weakness, or suspicious activity, then they shall immediately report the information using one of the following communication channels.
Reporters should act as good witnesses and behave as if they are reporting a crime. Reports should include specific details about what has been observed or discovered.
The Security Delegate shall monitor security incident notifications and assign a severity based on the following categories.
This level of severity pertains to incidents that are unconfirmed or exhibit unusual behavior, necessitating further investigation. There is no definitive evidence suggesting a significant risk to systems. Immediate emergency response is not required. Examples include encrypted laptops that are lost or stolen, suspicious emails, system outages, and unusual activities observed on a laptop.
High severity issues are those where there's a strong likelihood of an attack or exploitation, even though direct evidence of an adversary's presence or active exploitation hasn't been confirmed. These include scenarios like a lost or stolen laptop without encryption, vulnerabilities that are highly exploitable, threats indicating potential or ongoing unauthorized access to our systems (such as backdoors or malware), and unauthorized access to sensitive business data (like passwords, details of vulnerabilities, or payment information).