SHAPE America Data Breach Response Policy

Scope:

This Policy establishes measures that must be taken to report and respond to a possible breach or compromise of Sensitive Data, including the determination of the Systems affected, whether any Sensitive Data have in fact been compromised, what specific Data were compromised and what actions are required for forensic investigation and legal compliance.

This Policy is documented to provide a well-defined, organized approach for handling any potential threat to computers and Data, as well as taking appropriate action when the source of the intrusion or incident at a third party is traced back to the SHAPE America. The Policy identifies and describes the roles and responsibilities of the Incident Response Team. The Incident Response Team is responsible for putting the plan into action and communicating with applicable parties.

Capitalized terms are defined below.

Policy:

Reporting of suspected thefts, data breaches or exposures

Any individual who suspects that a theft, breach or exposure of SHAPE America Sensitive Data has occurred must immediately report the suspected activity in a timely manner in order to mitigate the risk to Information Resources and protect SHAPE America’s Operations. Report all suspicious activities/actions by providing a description of what occurred via email to IT Help Desk (IHelpDesk@SHAPEAmerica.org) and the SVP, Business & Finance (Nori Jones - njones@SHAPEAmerica.org), by calling the Director, IT, Geoff Brehm at 703.476.3496, or by calling Nori Jones at 703.476.3408. Geoff Brehm and Nori Jones will assemble an Incident Response Team to investigate all reported thefts, Data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Incident Response Team will follow the appropriate procedure depending on the class of Data involved.

Incident Response Team

An Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Incident Response Team’s mission is to prevent a serious loss of revenues, member and customer confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases.

The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The Director, IT will coordinate these investigations.

The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.

Incident Response Team Members

The Response Team may consist of the following representatives:

  • Director, IT
    • Serve as the incident lead for any actual or suspected compromise of Sensitive Data.
    • Validate the Data breach. Examine the initial incident information and available logs to confirm that a breach of Data has occurred.
    • Take action to mitigate the impact. Act quickly to reduce the impact as much as possible. Work to identify and secure all affected Data, machines, devices and systems, as well as isolate and preserve the compromised Data. Change encryption keys and passwords immediately to prevent further access. Personally, or in conjunction with an outside vendor, clean the network of malicious code, which may take a lot of resources depending on the size of the breach.
  • SVP, Business & Finance
    • Coordinate all contacts with law enforcement, outside council, insurance representative and all non-technical aspects of any investigation. Contact information for outside council and insurance broker is included for use by senior management in the event the SVP, Business & Finance is unavailable.
    • Based on guidance from council and the insurance representative, work in coordination with the Director, IT to manage the evidence and carefully document all investigation and mitigation efforts.
  • CEO and VP, Membership, Marketing, Publications
    • Coordinate responsibility for all applicable internal and external communications, and media relations.
    • If applicable, in accordance with guidance from council and insurance representative, notify Data owners. If member or customers' information is exposed, affected individuals will be notified as soon as possible and within the timeframe of international regulations, and federal, state, and local laws. Public affairs or media relations staff, in conjunction with executive leadership and legal counsel will word the notification in a straightforward and honest manner.
  • Human Resources
    • Will advise on personnel issues and communications to SHAPE America staff.

Confirmed theft, data breach or exposure of SHAPE America Sensitive Data

As soon as a theft, Data breach or exposure containing SHAPE America Sensitive Data is identified, the process of removing all access to that resource will begin as soon as possible. If the information is available on a site outside of SHAPE America, that site will be contacted to have the information removed as soon as possible.

The Incident Response Team will handle all communications about the breach or exposure and will work with the appropriate parties to remediate the root cause of the breach or exposure.

Lessons Learned

After an incident has been resolved, an incident report will be created. The Incident Response Team will then convene to discuss the security controls that failed and refine SHAPE Americas Data security program and breach response strategy.

Questions about this Policy:

If you have questions about this policy, please contact the SVP, Business & Finance, Nori Jones by calling 703.476.3408 or emailing njones@SHAPEAmerica.org.

Definitions:

Confidential Data: any information that is contractually protected as confidential information and any other information that is considered by SHAPE America appropriate for confidential treatment.

Data: all items of information that are created, used, stored or transmitted by the SHAPE America community for the purpose of carrying out the Association’ mission and all Data used in the execution of the Association’s required business functions.

Information resources included in the scope of the Policy are:

  • All Data (as defined in above) regardless of the storage medium (e.g., paper, cartridge, disk, CD, DVD, external drive, copier hard drive, etc.) and regardless of type (e.g., text, graphic, video, audio, etc.);
  • The computing hardware and software Systems that process, transmit and store Data; and
  • The Networks that transport Data.

Sensitive Data: any information protected by federal, state and local laws and regulations and industry standards, the Virginia Data Breach Notification Law, similar state laws and PCI-DSS.

System: Server based software that resides on a single Server or multiple Servers and is used for Association purposes. “Application” or “Information System” is synonymous with “System”.