Data/Security/Privacy Incident Response Plan

This is a copy of our internal policy. We share it to help customers get a better understanding how how we work. The policy will get updated or improved from time to time. You’re welcome to give us feedback by sending a mail to security@small-improvements.com.

Incident Severity

When in doubt start with high severity and do post in #incidents immediately. We can always downgrade and call All Clear.

High

We have indication or reports that data or security or privacy has been breached or that an exploit or defect is putting us at risk – e.g. hackers can access data, companies or users are seeing data they shouldn’t etc. Stays High if we have confirmed that this indeed possible.

Priority: Drop everything and react immediately.

Medium

We have identified that the issue is not exploitable or not actually within our system, or that there is a user error/UX issue at play.

Priority: Can be addressed the next day, and either moved into follow-up ticket (bugs or tech roadmap) if risk assessment warrants this, or closed (if false alert).

Step 1: Ring the alarm

  • Immediately inform everyone in the #incidents Slack channel. Specifically inform the Information Security team and the CTO too.
  • Have a call as soon as possible
    • Describe:
      • severity
      • who reported the incident when via which channel
      • scope (type and amount of data potentially at risk, global or for a single customer…)
      • any details known
    • Determine incident owner, and who is part of the team responding
    • Clarify expectation for response time

If there is indication for a data breach or major security incident, also inform our Data Protection Officer  – she can help figure out if the incident needs to be reported to authorities or not.

If in doubt, it’s better to get a few people too many involved than missing out on that one person who could have had the great idea. Efficiency doesn’t matter, speed and effectiveness matter most.

Step 2: Fix & preserve

  • Take systems affected offline if a data or security breach that can be exploited further is suspected
  • If a customer account is specifically affected and might be leaking data, lock it
  • Preserve any evidence forensics about the breach if external influence
    • Google request logs with a time stamp and IP address
    • Internal log messages
    • our audit records
  • Analyse whether this issue could affect and endanger neighboring systems
  • Investigate root cause and fix

Step 3: Document & inform

  • Document the incident thoroughly
  • if data has been leaked or security has been breached,
    • Customer-Team: notify affected or at risk customers within 8h with details on the scope of (potential) breach, an update on the situation, and a timeline when to expect the next update
      • using email, intercom, and consider in-app messages
    • inform our Data Protection Officer (do not skip this step!!!)
    • document EVERYTHING as you do it
  • if applicable (e.g there is a security breach on premises) notify law enforcement agencies

Step 4: Post-mortem

  • Run a thorough post-mortem with actions to prevent this type of incident in the future

Please also see our privacy policy.