Level 2 Supporting Policies
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents
      3. Level 2 Supporting Policies

      28. HealthSafe Information Security Incident Management Policy



      INFORMATION SECURITY INCIDENT MANAGEMENT POLICY



      Document Identification 

      HSNZ/POL/28

      Document Name

      Information Security Incident Management Policy

      Master Copy

      CISO

      Version Number

      1.3

      Date Of Release 

      15 Aug 2023

      Prepared By

      Eparama Tuibenau

      CISO

      Approved by

      Kevin McAfee

      Managing Director

       


      VERSION HISTORY


      Sl No

      Version No.

      Prepared by

      Approved by

      Description of Version

      Date

      Reason for Version Change

      From

      To

      1

      1.0

      -

      CISO

      MD

      First Release

      14 Apr 2020 

      No changes made

      1

      1.0

      1.1

      CISO

      MD

      Updated

      03 Aug 2021 

      Modifications due to changes in HealthSafe

      1

      1.1

      1.2

      CISO

      MD

      Reviewed

      28 Jul 2022 

      Annual review

      1

      1.2

      1.3

      CISO

      MD

      Reviewed

      15 Aug 2023 

      Annual review

      DOCUMENT STATUS


      Date

      Document Status

      14 Apr 2020

      Modified

      03 Aug 2021

      Reviewed

      28 Jul 2022

      Review

      15 Aug 2023

      Current

      Table of Contents

      1 Purpose


      2 Scope


      3 Input


      4 Output


      5 Interacting Process


      6 Abbreviations, Acronyms and Definitions


      7 Procedure


      8 Monitoring the Process


      9 Records



      1. PURPOSE
        The purpose of this document is to establish and maintain a policy for Information Security Incident Management for HealthSafe NZ. To verify that an incident occurred, maintain or restore business continuity, reduce the incident impact, determine how the attack was done or the incident happened, prevent future attacks or incidents, improve security and incident response, prosecute illegal activity and keep management informed of the situation and response

      2. SCOPE
        These procedures applies to all aspects of information security incident management

      3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

      Abbreviation

      Description

      FH

      Functional Head

      IT

      Information Technology Department

      TL

      Team Lead

      CISO

      Chief Information Security Officer

      4 INPUT

      To identify the incidents and initiate appropriate action from recurrence.


      5 OUTPUT

      To take appropriate corrective actions for the incident identified


      6 INTERACTING PROCESS

      All the departments


      7 PROCEDURE


      Incident Definition

      An incident is any one or more of the following: 

      • Non-availability of information (system failure)
      • Loss of information confidentiality (data theft) 
      • Loss of data arising from server crash
      • Compromise of information integrity (loss or damage to data or unauthorised modification). 
      • Theft of physical IT assets including laptops, storage devices, printers, etc. 
      • Damage to physical IT assets including laptops, storage devices, printers
      • Denial of service. 
      • Misuse of services, information, or assets. 
      • Infection of systems by unauthorised or hostile software. 
      • An attempt at unauthorised access. 
      • Unauthorised changes to organisational hardware, software, or configuration. 
      • Reports of unusual system behaviour. 
      • Non-compliances to policy and procedures. 
      • Power shutdown 
      • Natural calamities such as fire, earthquake, floods 
      • Disruptions arising from strikes, lockout, civil disturbance etc

      Reporting information security events and weaknesses

      To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. 


      Information Security events

      Information security events shall be reported through appropriate management channels as quickly as possible. 

      A formal information security event reporting procedure is established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact is established for the reporting of information security events.

      Information Security Weaknesses

      All employees, contractors and third-party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.


      Management of information security incidents and improvements

      To ensure a consistent and effective approach is applied to the management of information security incidents.


      Responsibilities and procedures

      In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts and vulnerabilities should be used to detect information security incidents.

      The following are considered for the information security incident management:

      Procedures should be established to handle different types of information security incidents including:

      • Information system failures and loss of service;
      • Malicious code;
      • Denial of service;
      • Errors resulting from incomplete or inaccurate business data;
      • Breaches of confidentiality and integrity;
      • Misuse of information systems;
      • In addition to normal contingency plans, the procedures should also cover:
      • Analysis and identification of the cause of the incident;
      • Containment;
      • Planning and implementation of corrective action to prevent recurrence, if necessary;
      • Communication with those affected by or involved with recovery from the incident;
      • Reporting the action to the appropriate authority;
      • Audit trails and similar evidence should be collected and secured as appropriate
      • Internal problem analysis;
      • Use as forensic evidence in relation to a potential breach of contract or regulatory requirement or in the event of civil or criminal proceedings;
      • Negotiating for compensation from software and service suppliers;
      • Action to recover from security breaches and correct system failures should be carefully and formally controlled; the procedures should ensure that:
      • Clearly identified and authorised personnel are allowed accesses to live systems and data;
      • All emergency actions taken are documented in detail;
      • Emergency action is reported to management and reviewed in an orderly manner;
      • The integrity of business systems and controls is confirmed with minimal delay.

      Learning from information security incidents

      In addition to the reporting of security incidents and the software malfunctions, the procedure also covers the details of the analysis of the occurrence of the incident/malfunction.


      Mechanism has been defined to analyse the incident, take the necessary corrective and preventive actions to minimise the occurrence of the incident. 


      Collection of evidence

      It is necessary to have adequate evidence to support an action against a person or organisation. Whenever this action is an internal disciplinary matter the evidence necessary will be described by internal procedures. Where the action involves the law, either civil or criminal, the evidence presented should conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. In general, these rules cover:

      1. Admissibility of evidence: whether or not the evidence can be used in court;
      2. Weight of evidence: the quality and completeness of the evidence;
      3. Adequate evidence that controls have operated correctly and consistently (i.e. process control evidence) throughout the period that the evidence to be recovered was stored and processed by the system.

      To achieve admissibility of the evidence, organizations should ensure that their information systems comply with any published standard or code of practice for the production of admissible evidence.

      To achieve quality and completeness of the evidence, a strong evidence trail is needed. In general, such a strong trail can be established under the following conditions.

      1. For paper documents: the original is kept securely and it is recorded who found it, where it was found, when it was found and who witnessed the discovery. Any Investigation should ensure that originals are not tampered with.
      2. For information on computer media: copies of any removable media, information on hard disks or in memory should be taken to ensure availability. The log of all actions during the copying process should be kept and the process should be witnessed. One copy of the media and the log should be kept securely.
      3. When an incident is first detected, it may not be obvious that it will result in possible court action. Therefore, the danger exists that necessary evidence is destroyed accidentally before the seriousness of the incident is realised. It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required.


      Points to Remember:

      • CISO must be notified immediately in case of security weakness/incident is identified.
      • Staff are informed that they should not, in any circumstances; attempt to prove a suspected weakness. This is for their own protection, as testing weaknesses might be interpreted as a potential misuse of the system

      8 MONITORING PROCESS

      The senior production team monitor these processes.


      9 RECORDS

      • JIRA Logs
      • Penetration Reports
      • Incident Management Record