Purpose and Scope
This plan provides practical guidelines on responding to cyber-attacks and data breach incidents in a consistent and effective manner. The plan establishes a team of first responders to an incident with defined roles, responsibilities, and means of communication.
This response plan sets out specific provisions for a cyber or data incident and is in addition to the deployment of the Major or Critical Incident Policy which may also be enacted during such an event.
Goals for Cyber Incident Response
When a cyber security incident occurs, timely and thorough action to manage the impact of the incident is critical to an effective response process. The response should mitigate damage through clear, coordinated actions. Specifically, the response goals are:
- Preserve and protect the confidentiality of patient, co-owner and business information and ensure the integrity and availability of BrisDoc systems, networks, and related data.
- Help BrisDoc personnel recover their business processes after a computer or network security incident or other type of data breach.
- Provide a consistent response strategy to system and network threats that put BrisDoc data and systems at risk.
- Develop and activate a communications plan including initial reporting of the incident as well as ongoing communications, as necessary.
- Address cyber related legal issues.
- Coordinate efforts with external support teams.
- Minimize BrisDoc’s reputational risk.
- Engage third-party stakeholders where necessary.
- Monitor evolving cyber threats
Incident Response Team (IRT)
A team comprised of BrisDoc staff, advisors, and service providers shall be responsible for coordinating incident responses and known as the Incident Response Team (IRT). The IRT shall consist of the individuals listed in Appendix A, having the noted roles and responsibilities.
This team will have both primary members and secondary members. Secondary members will be become involved dependent on the incident. In the event of a cyber-attack CFC, Defense.com and Sophos will be informed as a matter of course. The primary members of the IRT will act as first responders to an incident that warrants IRT involvement, according to the incident’s severity. The entire IRT would be informed and involved in the most severe incidents.
IRT members may take on additional roles during an incident, as needed. Contact information, including a primary and secondary email address, plus office and mobile telephone numbers shall be maintained and circulated to the team. The IRT will draw upon additional staff, consultants, or other resources, (often referred to as Subject Matter Experts – SME’s) as needed, for the analysis, remediation, and recovery processes of an incident. The Digital function plays a significant role in the technical details that may be involved in an incident detection and response and can be considered an SME in that regard.
There shall be a member of the IRT designated as the Incident Response Manager (IRM), who will take on organisational and coordination roles of the IRT during an incident where the IRT is activated for response to the incident.