SCP Data Breach and Security Incident Management Policy and Procedure

The SCP Data Breach and Security Incident Management Policy and Procedure (DBSIMPP) shall enable appropriate response to a security incident by implementing a plan for a timely advice on containment and risk management and determining whether further controls or actions are required. A security incident is an event that leads to a violation of SCP’s 
security policies and puts sensitive data at risk of exposure. A security incident may lead 
to a data breach. The implementation of sound security incident policies, blocking of 
unnecessary access to data, improvement in security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce such risks and decrease the cost of security incident related matters.

PURPOSE 

The purpose of this policy is to provide SCP-wide guidance to all staff on proper response to, and efficient and timely reporting of, computer and non-computer security related incidents, such as, but not limited to unauthorized user activity, data intrusion and all related data privacy violations under the Data Privacy Act of 2012 that will compromise the personal data collected by SCP. It also addresses non-IT violation on the physical data that SCP is currently handling.

SCOPE

Applicability

This policy and procedure apply to all users throughout Save the Children Philippines(“SCP”), whether employees/staff, officers, trustees, volunteers, partners, suppliers, contractors, consultants, third party service providers (Personal Information Processors), and outsourced personnel, who use, process and manage information from individual systems or servers and other manual data processing systems.
They are required to be aware of and follow this procedure in the event of personal data breach. 

Policy and Procedure Documentation

This document is the formal documentation of the SCP Breach and Security Incident Management Policy and Procedure (DBSIMPP).

Document Control

The DBSIMPP document and all other referenced documents shall be controlled. Version control shall be ensured to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two (2) years for legal and knowledge preservation purpose.

Records

Records being generated as part of the DBSIMPP shall be retained for a period of two (2) years or may be longer whenever applicable. Records shall be in hard copy or electronic media. The records shall be owned by the respective Process Owners with a copy to the Data Protection Officer and shall be audited once a year.

Distribution and Maintenance

The DBSIMPP document shall be made available to all personnel and other stakeholders of SCP covered in the scope or the process involved. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance 
responsibility of the document shall be with the Data Protection Officer (DPO) and Chief Executive Officer.

Confidentiality

The DBSIMPP document shall be considered as confidential document and shall be made available to the concerned persons with proper access control. 

Role and Responsibility of the Data Protection Officer (DPO)

    • The DBSIMPP shall be implemented by the DPO who has the overall responsibility for data security incident and data breach management process. The primary responsibilities associated with the security/breach management are to identify and respond to suspected or known security incidents, contain or limit the exposure to loss, and mitigate, up to the extent practical, the harmful effects of security incidents that might affect the data subject’s rights.
    • The DPO and/or the Information Technology (IT) Unit will manage incidents at the facility level and will alert the Chief Executive Officer of potential organization wide threats. The nature of the incident may require the assignment of staff from other units/offices. In all cases, units/offices shall be informed of the incident and the steps recommended or taken to mitigate the incident.
    • Ensure that these security/breach management policies and procedures are complied with and duly implemented.

SECURITY INCIDENT/DATA BREACH MANAGEMENT POLICIES

The DPO shall ensure that:

    • Incidents are detected as soon as possible and reported to the DPO.
    • All incidents shall be duly recorded and documented. The full extent and implications relating to an incident must be duly analyzed and understood.
    • All evidence is gathered, recorded and maintained in the Security Incident Reporting Form that will withstand internal and external scrutiny.
    • Incidents are handled by appropriate authorized personnel with skilled backup as required.
    • Incidents are dealt with in a timely manner and service(s) restored as soon as possible.
    • The risk to SCP’s reputation through negative exposure is minimized.
    • Any weaknesses in procedures or policies are identified and addressed.
    • Learnings from the incidents are recorded.
    • Similar incidents will not recur.

These policies and procedures shall apply throughout SCP affecting all information resources, data stored and processed on those systems, data communication and transmission media, and personnel who use information resources.'

IMPLEMENTATION

The DPO shall initiate the development, maintenance and implementation of the incident management and response plan to address data security incidents based on the following incident management plan requirements: 

  • Incident Management Training - This shall provide incident management training to the units/offices on how to identify and report security incidents.
  • Identifying and Prioritizing Types of Incidents - This will be undertaken to develop and maintain guidelines for identifying and prioritizing security incidents. The Units/Offices or their affiliated staff designated by agreement or assignment shall evaluate the potential for the occurrence of certain types of incidents. All security incidents shall be classified by severity level and type. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, social engineering and even non-IT-related incidents such as improper use of physical personal data, i.e. forms and other printed materials.
  • Incident Monitoring - The DPO shall develop and maintain guidelines on how to monitor security incidents. (See attached excel file: SCP Incident Assessment Involving Personal Data). The Units/Offices or their affiliated staff designated by agreement or assignment, as part of their risk management program, shall continuously monitor security incidents (both physical and IT – related incidents) 
    according to prescribed guidelines. 
  • Incident Detection - SCP shall develop and maintain organization-wide procedures for collecting, analyzing and reporting data. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data). The integrity of all data relating to criminal acts must be preserved as evidence and will be collected using generally accepted data privacy policies and procedures. The forensic procedures to be followed will be developed and disseminated by the DPO.
  • Incident Reporting - The DPO shall define the basic procedure to be followed for reporting incidents. The procedure may be expanded by the Units/Offices as necessary to include the internal communications and escalation procedures that will be used. Security incidents classified as level 3, 4, or 5 in the Privacy Impact Assessment shall be reported to the DPO and the designated unit/office information security officer within a period of 12 hours from the time the incident was discovered. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data). The DPO is responsible for reporting the incidents to the Chief Executive Officer. If a security incident concerns Sensitive Personal Information (SPI) and the incident is deemed reportable to the National Privacy Commission as defined in the Data Privacy Act of 2012 and its IRR, the DPO shall be responsible in submitting the report to the Commission. 
  • SCP-Security Incident Response Team (SIRT) - The DPO shall make the recommendation for the establishment of the SIRT for the approval of the CEO. The DPO will work with the Units/Offices to develop a cross-functional incident response team that will handle a variety of incidents. The roles and responsibilities of the team members will be clearly defined. The SIRT shall be adequately staffed 
    and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within a unit/office, the SIRT may include outsourced vendors, internal and external entities, as well as other key facility/agency personnel, if necessary.
  • Organization Protocols - Security incidents may occur across network boundaries. The DPO shall define the protocols for handling these incidents and the contacts between Units/Offices and outsourced entities. 
  • Impact Assessment - The DPO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist the SCP management in deploying the proper risk management strategy. 
  • Incident Handling and Escalation Procedures - The DPO shall develop and maintain the primary procedures for handling the containment, eradication and recovery aspects of incidents and the guidelines for development of an escalation procedure. The Units/Offices shall develop escalation procedures that are tailored to their individual circumstances. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data).
  • Documentation - All security incidents shall be thoroughly documented by the Units/Offices with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The DPO may be called on to assist in the documentation process. 
  • Record Retention - The Quezon City Office, and each of the Field Offices shall maintain the incident logs and corresponding documentation for a minimum of one (1) year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
  • Post-Incident Analysis - The post-incident analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the DPO and the impacted unit or office, with assistance of their affiliated staff designated by agreement or assignment, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident. 
  • Data Security Emergency Planning - If an incident occurs that impacts the safety of the personnel and facilities, or results in a situation where unit services are interrupted for an extended period of time, the incident may be declared an emergency. The DPO shall work with the government agencies (i.e. NBI or PNP) to provide guidelines regarding the criteria for identifying an emergency and notification procedures. The Units/Offices shall develop the appropriate procedures for identifying and declaring data security emergencies using the established Business Continuity Plan as can be seen also under their respective Privacy Impact Assessments.
  • Media Relations - Serious security incidents that are likely to result in media attention shall be reported immediately to the Chief Executive Officer.

ENFORCEMENT

Any employee found to have violated this policy may be subjected to disciplinary action in line with the SCP Disciplinary Policy.

Back
Back to top