Cyber Security Incident Reporting Protocol
- Overview
ReimburseRPM is committed to protecting its employees, customers, partners, vendors and its operations from illegal or damaging actions by individuals, either knowingly or unknowingly. All desktops, servers, email gateway, network devices, and information under this policy are protected from malicious software.
- Purpose
This standard defines ReimburseRPM employees’ responsibilities for responding to and reporting breaches of information and for sharing information related to potential security incidents or threats with ReimburseRPM’s Information Technology (IT) Security Team.
A security incident is defined to be any adverse event that threatens the security of information resources. Adverse events include compromises of integrity, denial of service, compromises of data (sold or used in an unauthorized fashion), loss of accountability, or damage to any part of the system. A security incident is also any observation of an act or situation that could allow ReimburseRPM’s information technology resources to be used to launch attacks against the resources and information of other individuals or organizations.
- Scope
The Director of Sales & Business Development working together with the IT Director and Systems Administration Team shall be responsible for ensuring the effective implementation of a Company-wide standard for reporting security incidents.
This policy covers all employees, temporary employees, contractors or consultants of ReimburseRPM, and/or any affiliate, company or division of ReimburseRPM. All departments of the company are included within this policy. It is the responsibility of each employee to know the contents of this policy as it relates to incident response.
- Policy
Every employee, executive, contractor and consultant is responsible for reporting any kind of security incident. The type of report and the action of the individual will depend on the nature of the security incident. The personnel assigned to handle security incidents will determine how incidents should be handled and reported.
This document outlines the procedures that individuals should follow in reporting potentially serious IT security incidents. ReimburseRPM’s IT staff has even greater responsibilities. This document outlines their responsibilities in securing systems, monitoring and reporting IT security incidents, and assisting individuals, administrators, and other IT staff to resolve security problems.
4.0 Definition
For the purposes of this policy a “security incident” is any accidental or malicious act with the potential to:
- Result in misappropriation or misuse of private, sensitive or confidential information of an individual or of ReimburseRPM’s clients.
- Significantly imperil the functionality of the information technology infrastructure of ReimburseRPM.
- Provide for unauthorized access to ReimburseRPM’s resources or information.
- Allow ReimburseRPM’s information technology resources to be used to launch attacks against the resources and information of other individuals or organizations.
4.1 Information Security Team (IST)
A team will be assigned to accept all security incident reports. Employees should contact one of the members if the security team to report an incident. The team will consist of:
- Director of Sales & Business Development
- IT Director
- Systems Administration Team
4.2. Reporting Responsibilities – Employees
Each employee, executive, contractor and consultant must take responsibility for reporting security incidents. Individuals should follow the following guidelines:
- An individual should attempt to stop any IT security incident as it occurs to the best of their knowledge/ability.
- An individual should immediately report IT security incidents to a member of the Information Security Team (IST), regardless if it is during or outside of normal business hours. If the IST member is not available, regardless of the incident, the individual should report it to an IT employee immediately. IT staff will help you assess the problem and determine how to proceed. In the event an IT employee is not available, such as on weekends, holidays, etc., an employee, executive, contractor and consultant should contact their supervisor who will have emergency contact information for a member of the IT department.
- A member of the IST will work with the employee to complete the IT Security Incident Report form. The form will be reviewed by the appropriate members of the IST and may assist in determining what action is necessary. The Incident Response Form will be provided by the IT department.
- Following the report, individuals should comply with directions provided by the IT department to repair the system, restore service, mitigate future risk and preserve evidence of the incident.
- No retaliatory action should be taken against a system or person, internal or external to the organization, believed to have been involved in the IT security incident. All response actions should be guided by ReimburseRPM’s Information Security Policy. If necessary, once the root cause of an incident has occurred, the IST will take corrective or disciplinary action.
4.3. Reporting Responsibilities – IT Personnel
Information technology department professionals have additional responsibilities for IT security incident handling. In the case of an IT security incident, IT staff should:
- Respond quickly to reports from individuals.
- Take immediate action to stop the incident from continuing or recurring.
- Determine whether the incident should be reported to the IT Security Team.
- If the incident does not involve the loss of confidential information or have other serious impacts to individuals or the company, the IT staff should repair the system, restore service, mitigate future risk and preserve evidence of the incident.
- If the incident involves the loss of confidential information or critical data or has other potentially serious impacts, the IT staff should
- File an IT Security Incident Report form including a description of the incident and documenting any actions that have been taken.
- Notify a member of the Information Security Team.
- Notify the appropriate department(s) that an incident has occurred and that the IT Security Response Team has been contacted.
- Notify ReimburseRPM’s customers if downtime or other critical situations exist.
- Refrain from discussing the incident with others until a response plan has been formulated.
- Repair the system and restore service.
- Preserve evidence of the incident.
- Develop a notification plan and deliver it to affected clients within 24 business hours, if the incident is related to breach of their data.
- Mitigate future risk.
4.4 Reporting for Users of ReimburseRPM’s Hosted Solutions
All users should report security incidents using the online Support form found at the top of every page in the application. The following guidelines should be considered when reporting an incident:
- When the incident involves another member of your organization and you have administrative rights, disable their account to minimize the impact of the issue, and then immediately report the incident to ReimburseRPM.
- During standard business hours, the Product Support team may also be contacted by phone to report potential security issues at 702-755-3029.
- ReimburseRPM staff will respond to the incident in accordance with 4.2 and 4.3 of this policy. The user reporting the issue may be contacted by Product Support or a member of the IST throughout the process to collect additional information when required. Affected users and all appropriate contacts will be notified once the issue has been investigated and addressed by ReimburseRPM.
4.5 Reporting Incidents
The following examples are security incidents that should be reported immediately:
- Wide spread virus or malware infection (do not attempt to fix this yourself. Contact the IT team immediately).
- Unauthorized root or administrator access to critical servers, routers, firewalls or any other networked system.
- Major outages or performance degradation to access to normal business systems and applications from denial of service attacks.
- Attacks or attempts to cause failure on mission critical infrastructure services.
- Unauthorized access to ReimburseRPM’s systems through the use of other user’s credentials.
- Instances of other malicious code that has had wide-spread impact or adversely affected one (or more) of ReimburseRPM’s mission critical server(s).
- Unauthorized access to servers or server management functions outside of ReimburseRPM’s networks not in the course of normal business or operational duties. (e.g. running a home web server, hacking another site, etc.).
- Reconnaissance scans and probes that precede or are related to the incidents listed above should be reported.
- Changes to system hardware, firmware or software without ReimburseRPM’s knowledge, instruction or consent.
- Attempts to cause failures that may cause loss of life or significant impact on the health or economic security of any agency, organization, individual, group or state or federal government.
- Reckless uses of an IT device or network to engage in a scheme or course of conduct that is directed toward another person and that seriously alarms, torments, threatens, or terrorizes the person.
- Knowingly obtaining information that is required by law to be kept confidential or any records that are not classified as public records by accessing an IT device or network that is operated by the State, a political subdivision of the State, or a medical institution.
- Sending ReimburseRPM Confidential information over email networks or any other electronic transmission method with the intent to sell or acquire gain from that information.
- Attempts to use the identity or personal information of a fellow employee in any way.
- Password violations (sharing passwords, posting passwords in open areas, bypassing passwords, etc.)
Important information that should be documented during an incident when available:
- The systems impacted and the extent of the damage or breach
- How the breach occurred
- Steps taken to mitigate or remedy the situation
- Suspects (internal or external)
- Evidence that exists or needs to be preserved
- Enforcement
Any employee found to have violated this policy may be subject to disciplinary action based on the severity of offense, up to and including termination of employment.
- Distribution
This security policy is to be distributed as follows:
- All ReimburseRPM’s management and executive employees
- All IT department employees
- Posted within the ReimburseRPM application to be accessed by all authenticated users