Data Breach Response Plan. 5/10/2015 RMS Hospitality Solutions Technical Services

Transcription

1 5/10/2015 RMS Hospitality Solutions Technical Services Version: 1.0 Created: 05/10/2015 Last Updated: 22/05/2015

2 Revision and Signoff Sheet Document History - To maintain a list of changes being made Version Date Author Description of Change /10/2015 Technical Services First draft /13/2015 Matt Mazurkivich Various edits to formatting/content /14/2015 Technical Services Finalized prevention and appendix 1 05/22/2015 Technical Services Formatting changes Approvers List- To track who has reviewed and signoff on the Test plan Name Role Approver / Approval / Reviewer Review Date Peter Buttigieg Managing Director Approver 21/05/2015 David Jones Sales & Marketing Reviewer 21/05/2015 Andrew Buttigieg Technical Services Approver 21/05/2015 Lukas Gibb Technical Services Reviewer 21/05/ P a g e

3 Table of Contents Introduction... 3 What is a data breach... 3 Response Team and Responsibilities... 3 Data Breach Plan... 4 Identify/Confirm breach... 4 Document/Record evidence of breach... 4 Measures to stop further data loss/theft... 4 Evaluate the risk associated/extent of data breach... 5 Notification... 5 Prevention... 5 Appendix A - Law enforcement authorities contact information P a g e

4 Introduction The purpose of this document is to clearly outline the steps and procedures that RMS will follow in case of a data breach that exposes sensitive personal information to unauthorized entities. It includes key contact persons and their responsibilities along with detailed identification, evaluation and prevention plan. What is a data breach Data breach is the act of gaining unauthorized access to the data belonging to RMS or any of its customers/vendors/partners, whose data is hosted with RMS in one of our data centres. Such data breach may result in data theft or data loss of personal or other sensitive information. The causes of data breach may include human errors, hacking attacks or inappropriate access controls. The responsibility and obligations for RMS vary depending on the causes of such breach. Response Team and Responsibilities The following table outlines key personnel/departments and their responsibilities in case of data breach incident. Department Responsibility Phone Technical Services Take the lead to technicalservices@rms.com.au identify and contain data breach. Technical Services Document evidence technicalservices@rms.com.au of the breach Support Notify customers if support@rms.com.au and when required Administration Contact law administration@rms.com.au enforcement if and when required Technical Services Develop strategy/guidelines to prevent such incidents in the future technicalservices@rms.com.au 3 P a g e

5 Data Breach Plan In case of an identified data breach RMS response teams will follow the below outlined procedure. This may be updated from time to time to incorporate best practices in IT security or any other legal requirements. Identify/Confirm breach Data breach can be caused by either internal or external entities. 1. Contact the person who reported the breach 2. Identify how and when the breach was detected 3. Establish if the breach is caused by external or internal entity 4. Establish if other teams are required to be notified and notify them if necessary 5. Determine the user accounts, IP addresses of the hacker 6. Determine when the first successful attempt was made 7. Determine if any data was modified such as additional user accounts created 8. Establish the root cause of breach Document/Record evidence of breach 1. Document the following information as evidence using logs and any other tools available. a. User names that are used to access data. b. IP Address information c. Timestamps of when unauthorized access was gained and/or data access/modification was made. d. If possible identify any modifications to data. e. Collect all other information deemed evidence 2. Copy/backup all logs for further analysis Measures to stop further data loss/theft 1. Change passwords of identified user accounts used to gain unauthorized access 2. Disable user accounts if required 3. Restrict access based on IP address if possible 4 P a g e

6 4. Schedule any patches/updates if breach is due to a vulnerability in software. 5. Identify if security improvements are required by the software or architecture and implement if necessary Evaluate the risk associated/extent of data breach 1. If the breach can cause further data loss/theft for other customers/vendors/partners or RMS then take similar measures as recorded earlier in "Measures to stop further data loss/theft" for all other entities/systems to ensure security. 2. If user accounts and IP address information has been identified then run scans on other systems to ensure no such connections were allowed. Notification The nature of breach determines who should be notified. If the breach directly affects customers then customers must be notified so proper prevention measures can also be taken by them. 1. Notify customers through a phone call and follow up with a detailed outlining all findings and measures taken to prevent any further damage. 2. Provide instructions to customers, if any action is required by them, to prevent further damage 2. Notify law enforcement agencies if required Prevention 1. If the breach was due to an Operating System or third party application, immediately update the software. a. If an update is not available contact vendor and inform them of incident and seek help to rectify. b. Evaluate current software update guidelines/schedules and make amendments as necessary. 2. If the breach was due to RMS software, immediately identify and contact Software Engineering team to fix the issue. a. Schedule downtime and update software as necessary b. If the fix requires time then put temporary measures in place c. Actively monitor all systems while a permanent solution is being developed 3. If the breach is due to user error, social engineering attack etc then educate the end users. 4. Harden security such as disable plain text protocols and only allow encrypted communication. 5 P a g e

7 5. If security measures were already in place then re-evaluate infrastructure and identify/eliminate any weaknesses. 6. if any action is required from other customers to safeguard their data, create a detailed knowledge base article and send out communication to all customers. 6 P a g e

8 Appendix A - Law enforcement authorities contact information Country Number Department AU 000 Emergency Services AU CERT Australia United States 911 Emergency Services United States (888) US-CERT 7 P a g e