INCIDENT MANAGEMENT POLICY

Objectives

  • Minimize the adverse impact on business operations
  • Restore normal service operation(s) as quickly as possible
  • Ensure agreed levels of service quality are maintained
  • Ensure standardized methods and procedures are used for efficient and prompt response, analysis, documentation, ongoing management, and reporting of incidents
  • Increase visibility and communication of incidents to business and IT support staff
  • Enhance business perception of IT tough the use of a professional approach in quickly resolving and communicating incidents when they occur
  • Align Incident Management activities and priorities with those of the business
  • Maintain user satisfaction with the quality of IT services

Scope

This GrowMore Recruitment Incident Management policy will govern and guide the decisions and actions taken in the course of GrowMore Recruitment’s service operations failures that cause, or may cause, an interruption to, or a reduction in, the quality of service.

The scope of this policy applies to all incidents reported by GrowMore Recruitment employees, vendors, and third-party contract personnel (consultants/contractors) regarding IT Infrastructure hardware, software, system components, virtual components, cloud components, networks, services, documents, and processes.

Information security incidents reported to GrowMore Recruitment by a client, or any individual/entity not covered above, shall be documented, via an Incident Report Form, by the employee receiving the information security incident notification.

Incidents compromising business continuity are referred to in the GrowMore Recruitment Business Continuity Management Plan.

Policy

Incident Detection: Incident detection can be the most difficult phase of the incident response process. In many cases, though, it is obvious a security incident has occurred. For example, a website has been defaced, or a user account was logged into while the actual user was out on vacation. In other cases, it is not as easy to determine if a security incident occurred. Here are some ways to find out about a potential security incident:

  • Users: Users, including systems administrators, are often the first to notice a problem with an information resource. For example, a user may complain their login no longer works, or when they logged in, the system showed they had logged in while they were out on vacation. System administrators normally notice an information resource was compromised when they see the system start to slow down or notice more users logged in than they normally see, or they notice a new or unauthorized process running.
  • System Alerts: GrowMore Recruitment has auditing turned on for all information resources processing sensitive information as well as strategically placed network and host-based intrusion detection systems (IDS). Ideally, what happens is the audit log or the IDS shows an attempted or successful intrusion has occurred.

Incident Reporting

All GrowMore Recruitment employees, contractors, and vendors are responsible for immediately reporting security violations, incidents, or unusual or suspicious system activity. Incident reports are then sent to the GrowMore Recruitment IT team to determine appropriate response actions to investigate and resolve the incident. 

  • Incident Response: Upon notification of a security incident via the Incident Report Form, the Technology Lead will determine the appropriate course of action and, if warranted, invoke the GrowMore Recruitment IT team is then ultimately responsible for managing the resolution process, including user or system notification, escalation action or follow-up action, and post-incident reporting.
  • Incident Recovery: Once the incident is deemed “contained” or “closed”, GrowMore Recruitment personnel may be required to recover systems involved in the incident. The overall goal of the recovery process is to restore the system to a more secure state than the original. This means not only restoring the data and applications as required, but also ensuring the original vulnerability involved in the incident has been remediated.

Additionally, as part of system recovery, all system and user passwords should be changed following an incident, if applicable.

Secure Evidence

Much of the evidence on information resources is volatile and may be deleted or overwritten during normal system operations. At a minimum, all system logs must be copied immediately to offline storage. This will ensure these logs are preserved and are not deleted either tough normal operations or deliberately by the intruder. If feasible, a complete backup of the compromised system should be made and secured. This will preserve the condition of the system as of the time of the compromise and also prevent the intruder from erasing files.

The Technology Lead should copy the log files and create a backup of the compromised system if possible. Users should not access the affected system unless they have the expertise to perform these functions or they risk damaging or deleting evidence. 

Responsibilities

The GrowMore IT team is the first point of contact for all GrowMore Recruitment personnel. Team members will assist in identifying the potential security incident and initiate appropriate procedural action. The form notifies the GrowMore Recruitment Technology Lead of any information security incident.  The IT team has clearly defined roles and responsibilities for escalating and resolving computer security incidents. All employees are encouraged and required to report any observed or suspected security weaknesses in systems or services, even if not an incident.