# Security Incidents + Response
# Introduction
All security incidents must be managed in an efficient and time effective manner to make sure that the impact of an incident is contained and the consequences for your business and your customers are limited. This document sets out the Tandem plan for reporting and dealing with security incidents.
# What is a Security Incident?
A Security Incident means any incident that occurs by accident or deliberately that impacts your communications or information processing systems. An incident may be any event or set of circumstances that threatens the confidentiality, integrity or availability of information, data or services in Tandem.
This includes unauthorised access to, use, disclosure, modification, or destruction of data or services used or provided by Tandem.
# What Kind of Data is Sensitive?
Broadly speaking, any data that has been designated as "confidential", particularly data designated as confidential by our clients, is sensitive.
The best specific examples of sensitive data recognized by laws like HIPAA and GDPR are...
# Personally Identifiable Information
Personally identifiable information allows you to definitively identify a person by it. Examples include names, addresses, DoBs, ID numbers, usernames, phone numbers, and other identifiers. This data is often not critical when provided in isolation. Indeed, a great deal of it can be obtained easily through public sources. However, it can be easily misused, particularly when several pieces of PII are combined. Impersonation using PII is a common attack vector used to get access to more sensitive data and critical systems.
# Sensitive Personal Information
Sensitive personal information (ex: SSNs, health information, financial information) is typically separately considered by laws like HIPAA. It's necessary to keep this data secret at all times and is often the target of an attack.
# How to Recognise a Security Incident
A security incident may not be recognised straightaway; however, there may be indicators of a security breach, system compromise, unauthorised activity, or signs of misuse within your environment, or that of your third party service providers.
You need to look out for any indications that a security incident has occurred or may be in progress, some of which are outlined below:
- Monitor excessive or unusual log-in and system activity, in particular from any inactive user IDs (user accounts)
- Watch out for excessive or unusual remote access activity into your business. This could be relating to your staff or your third party providers
- The occurrence of any new wireless (Wi-Fi) networks visible or accessible from your environment
- The presence of or unusual activity in relation to malware (malicious software), suspicious files, or new/unapproved executables and programs. This could be on your networks or systems and includes web-facing systems.
- Hardware or software key-loggers found connected to or installed on systems
- Suspicious or unusual activity on, or behaviour of, Web-facing systems, such on as your ecommerce website
- Lost, stolen, or misplaced computers, laptops, hard drives, or other media devices that contain sensitive data
# Incident Response Plan Steps
There are a number of steps and stages that you must be taken to make sure that you protect your business by reacting to a security incident appropriately.
# Report
- Information security incidents must be reported, without delay, to the Security Officer. In the event that a security incident or data breach is suspected to have occurred, we recommend the staff member discuss their concerns with their project manager, who in turn may raise the issue with the Security Officer.
# Investigate
- After being notified of a security incident, the Security Officer will perform an initial investigation and determine the appropriate response, which may be to initiate the Security Incident Response Plan.If the Security Incident Response Plan is initiated, the Security Officer will investigate the incident and initiate actions to limit the exposure of data and in mitigating the risks associated with the incident.
# Initial incident containment and response actions
# Make sure that no-one can access or alter compromised systems
- Isolate compromised systems from your network and unplug any network cables – without turning the systems off.
- If using a wireless network, change the SSID (Service Set Identifier) on the wireless access point and other systems that may be using this wireless network (but not on any of the systems believed to be compromised).
- Preserve all logs and similar electronic evidence, e.g. logs from your firewall, anti-virus tool, access control system, web server, application server, database, etc.
- Perform a back-up of your systems to preserve their current state – this will also facilitate any subsequent investigations.
- Keep a record of all actions you and all members of the team take.
- Stay alert for further indications of compromise or suspicious activity in your environment, or that of your third parties.
- Seek advice before you process any further payment card transactions.
- If you can, gather details of all compromised or potentially compromised data (the ‘accounts at risk’).
# Inform
Once the Security Officer has carried out their initial investigation of the security incident:
The Security Officer will alert senior management.
The Security Officer or other personnel responsible for communications / PR will inform all relevant parties. This includes your acquirer and local law enforcement, and other parties that may be affected by the compromise such as your customers, business partners or suppliers. This also includes the personal data breach notification contacts, as applicable to the incident under investigation.
# Maintain Business Continuity
- The Security Officer will engage with operational teams in your business to make sure that your business can continue to operate while the security incident is being investigated.
# Resolve
The Security Officer will liaise with external parties, including your acquirer, law enforcement, etc., to ensure appropriate incident investigation (which may include on-site forensic investigation) and gathering of evidence, as is required.
The Security Officer will take action to investigate and resolve the problem to the satisfaction of all parties and stakeholders involved. This will include confirmation that the required controls and security measures are operational.
The Security Officer will report the investigation findings and resolution of the security incident to the appropriate parties and stakeholders (including your acquirer, local law enforcement, etc.) as is needed.
# Recovery
The Security Officer will authorise a return to normal operations once satisfactory resolution is confirmed.
The Security Officer will notify the rest of the business that normal business operations can resume. Normal operations must adopt any updated processes, technologies or security measures identified and implemented during incident resolution.
# Review
The Security Officer will complete a post-incident review after every security incident. The review will consider how the incident occurred, what the root causes were and how well the incident was handled. This will help to identify recommendations for better future responses and to avoid a similar incident in the future.
Changes and updates that may be required include:
Updates to the Security Incident Response Plan and associated procedures.
Updates to your business’ security or operational policies and procedures.
Updates to technologies, security measures or controls (for example, improved measures to inspect payment terminals for card skimmers).
The introduction of additional safeguards in the environment where the incident occurred (for example, more effective malware protection).
- The senior management primary contact will ensure that the required updates and changes are adopted or implemented as necessary.