Data/Security/Privacy Incident Response Plan
This is a copy of our internal policy. We share it to help customers get a better understanding how how we work. The policy will get updated or improved from time to time. You’re welcome to give us feedback by sending a mail to security@small-improvements.com.
Incident Severity
High
We have indication or reports that data or security or privacy has been breached or that an exploit or defect is putting us at risk – e.g. hackers can access data, companies or users are seeing data they shouldn’t etc. Stays High if we have confirmed that this indeed possible.
Priority: Drop everything and react immediately.
Medium
We have identified that the issue is not exploitable or not actually within our system, or that there is a user error/UX issue at play.
Priority: Can be addressed the next day, and either moved into follow-up ticket (bugs or tech roadmap) if risk assessment warrants this, or closed (if false alert).
Step 1: Ring the alarm
- Immediately inform everyone in the #incidents Slack channel. Specifically inform the Information Security team and the CTO too.
- Have a call as soon as possible
- Describe:
- severity
- who reported the incident when via which channel
- scope (type and amount of data potentially at risk, global or for a single customer…)
- any details known
- Determine incident owner, and who is part of the team responding
- Clarify expectation for response time
- Describe:
If there is indication for a data breach or major security incident, also inform our Data Protection Officer – she can help figure out if the incident needs to be reported to authorities or not.
If in doubt, it’s better to get a few people too many involved than missing out on that one person who could have had the great idea. Efficiency doesn’t matter, speed and effectiveness matter most.
Step 2: Fix & preserve
- Take systems affected offline if a data or security breach that can be exploited further is suspected
- If a customer account is specifically affected and might be leaking data, lock it
- Preserve any evidence forensics about the breach if external influence
- Google request logs with a time stamp and IP address
- Internal log messages
- our audit records
- Analyse whether this issue could affect and endanger neighboring systems
- Investigate root cause and fix
Step 3: Document & inform
- Document the incident thoroughly
- if data has been leaked or security has been breached,
- Customer-Team: notify affected or at risk customers within 8h with details on the scope of (potential) breach, an update on the situation, and a timeline when to expect the next update
- using email, intercom, and consider in-app messages
- inform our Data Protection Officer (do not skip this step!!!)
- document EVERYTHING as you do it
- Customer-Team: notify affected or at risk customers within 8h with details on the scope of (potential) breach, an update on the situation, and a timeline when to expect the next update
- if applicable (e.g there is a security breach on premises) notify law enforcement agencies
Step 4: Post-mortem
- Run a thorough post-mortem with actions to prevent this type of incident in the future
Please also see our privacy policy.