Appendix 1 Incident Response Plan ISO 22301

1. Purpose, scope, and users

The purpose of this Plan is to ensure the protection of the health and safety of people in the case of a disaster or other incident and to contain the incident. The objective is to reduce damage to the business to the smallest possible extent.

This Plan is applied to all major incidents threatening to disrupt any critical activity within the BCMS scope for a period longer than the recovery point objective for each individual activity (further in text: disruptive incidents).

Users of this document are all employees of Resolver.

2. Reference documents

  • ISO 22301 standard, clauses 4.1, 4.3, 5.3, 6.2, and control 9.1.1
  • ISO/IEC 27701:2019 standard clause 6.13

3. Authorizations and Responsibilities in incident response

Role in recovery/job titleAuthorizations and responsibilities
Any employeeNotifying the responsible organizational unit about the incident
Information Systems Director or employee in the IT departmentAll steps necessary to resolve incidents related to IT and communications technology
BC Coordinator or employees in Resolver IT and InfoSec DepartmentsAll steps necessary to resolve all other incidents
BC CoordinatorActivation of recovery plans for activities
CMO in conjunction with Director, LegalCommunication with public media – this person has exclusive authorization for communication with the public media
Director People and CulturePsychological help for employees

4. Communication

The following table lists responsibilities for communication (sending as well as receiving information and responding to information requests) with various types of interested parties:

[Telephone][Meetings][E-mail][Press conferences][Public media]
[Employees] HR teamVP of Talent and CultureVP of Talent and CultureN/AN/A
[Owners/shareholders]President and CTO & CISOPresident, CTO & CISO, and CISOPresident and CTO & CISOPresidentPresident
[Employees’ relatives]HR TeamVP of Talent and Culture with President with CISOVP of Talent and CultureN/AN/A
[Clients]Account Managers (Smaller Clients) after consulting with Director, LegalDPO, CTO & CISO or/and President for the larger clients in collaboration with Director, LegalPresident in collaboration with Director, LegalCMO, President, CISO, and Director, LegalCMO, President, CTO & CISO, and Director, Legal
[Public media]CMO in collaboration with Director, LegalCMO in collaboration with Director, LegalCMO in collaboration with Director, LegalCMO, President, CISO, and Director, LegalCMO, President, CTO & CISO, and Director, Legal
[Associations]Marketing teamCMOCMO, CCO and Director, Legal
[Emergency services]People Operations SpecialistDPO, CISO, and Director, LegalCISO in collaboration with Director, LegalCMO, President, CISO, and Director, LegalCMO, President, CTO & CISO, and Director, Legal
[various state authorities]People Operations SpecialistCMO, President, CTO & CISO, DPO, CCO, and Director, LegalCMO in collaboration with Director, LegalCMO, President, CTO & CISO, CCO, and Director, LegalCMO, President, CTO & CISO, and Director, Legal

The communication procedure is as follows:

  1. Any employee who receives a communication request or wants to initiate communication towards interested parties must forward such requests to a responsible person as indicated in the table above.
  2. A responsible person, CTO & CISO, President, DPO, and CMO must agree with Legal Counsel on the content of the communication.
  3. If the communication with external parties includes significant risks and impacts, the decision about such communication must be documented and formally approved by Legal Counsel and BC Coordinator (CTO & CISO) in conjunction with the PR Manager before such information is released.
  4. After getting appropriate approval, the responsible person provides information to the interested party.

A responsible person from the above table is responsible for documenting each communication with any interested party.

5. Incident Categories

Incidents are categorized into the following:

  1. IT incidents
  2. Cybersecurity Incidents
  3. Environmental Incidents

6. Cybersecurity Incidents Classification

Cybersecurity incidents are classified as follows:

  1. Unauthorized Access.
  2. Malware Infection.
  3. Distributed Denial of Service (DDoS) Attack.
  4. Internal Security Breaches and Insider Threats.
  5. Security Misconfigurations.
  6. Cryptography and Data Security.
  7. Advanced Persistent Threats (APTs)

7. Procedures for disruptive incidents

7.1. Managing a disruptive incident

7.1.1 The obligation of every employee to report incidents

Every employee is obliged to report any disruptive incident in the following way:

  • All incidents related to IT and communications technology are reported by e-mail to it@resolver.com or over the #infosys_announcements Slack channel or direct e-mail or Slack message or telephone to the Information Systems Director or IT Team members (Please consider your location and contact persons at your location)
  • All other incidents are reported by e-mail to infosec@resolver.com or over the #infosec_announcements Slack channel, or direct e-mail or Slack message or telephone to the Information Security Analyst

Any other event or system vulnerability that has not yet developed into a disruptive incident must be reported in the same way.

If an incident requires the intervention of the police, ambulance, or fire service, the first available person must call 911 and notify thereof the responsible person in his/her organizational unit or the Crisis Manager.

In case an incident occurs, employees can freely communicate only with their relatives and the police, ambulance, or fire service, while all other communication is left to the Crisis Management Team.

7.1.2 Disruptive Incident Handling

The person who received information about the incident must assess whether the incident/potential incident is real or false, and if it is determined to be real, immediately activate this plan by taking the following steps:

  • Start containing and eradicating the incident as described in the following sections of this document
  • notify all responsible persons about the occurrence of the incident within their area of responsibility
  • notify BC Coordinator, who must consider whether any of the interested parties need to be alerted
  • monitor the status of an incident and, as necessary, inform the incident reporter and other employees involved in the incident about the progress of incident handling

In case a person is unable to contain and/or eradicate the incident, he/she must inform the Crisis Manager. The information that is forwarded to the Crisis Manager must include the nature and extent of a disruptive incident and its potential impact.

The person responsible for eradicating the incident must record all the actions taken into the Incident Log.

7.1.3 Crisis Manager

The Crisis Manager must monitor the progress of incident handling and the period of disruption of individual activities, and assess the time needed to solve the incident.

If the required time to solve the incident is longer than the recovery time objective of a particular activity, the recovery plan for the disrupted activity must be activated. In that case, the Crisis Manager must notify all recovery managers who will have to activate their recovery plans.

7.2. Containing and eradicating an incident

7.2.1 Evacuation of the building (regardless of incident type)

The building is evacuated to assembly points specified in the List of Business Continuity Sites, appended to the Business Continuity Plan.

Crisis Manager
  • In case people’s lives or health are threatened, issue an evacuation order
  • If Assembly Point 1 is unavailable, send someone to mark the location of Assembly Point 2 (paper sign, pointing arrows, flags, vehicle signs, etc.)
  • In case of a malicious threat (e.g. bomb threat), make a decision about the new assembly point location (Assembly Point  3) and notify the person responsible for executing evacuation
  • Notify the remote offices to take responsibility for ongoing activities.
Persons responsible for executing evacuation
  • Direct evacuation towards the assembly point
  • Check that all rooms are empty after the evacuation, leave the rooms and lock the doors
  • In case someone was unable to leave the building, inform 911
All employees
  • Evacuate in accordance with evacuation plans for your building
  • Follow the instructions provided by persons responsible for directing the evacuation
  • Do not use mobile phones during the evacuation
  • When evacuating, take only your handbag and wallet, do not take any other items with you
  • Assist others in evacuation if they need help
Crisis Management Support TeamWhen people have gathered at the assembly point, keep a record of all present and missing persons

7.2.2 Fire

The building is evacuated in accordance with the building evacuation plan.

Crisis Manager
  • In case people’s lives or health are threatened, Crisis Manager issues an evacuation order
  • He/she selects measures to reduce damage or save property unless this represents a risk for the people
  • Notify the remote offices to take responsibility for ongoing activities.

 7.2.3 Interruption of power supply

Crisis Management Support TeamEstablish the cause of interruption – is it caused by the wiring or by the electricity distributor
Information Systems DirectorSolve the problem together with the electricity distributor
All employeesIn line with the recovery plans, proceed with alternative ways of executing activities, without the use of electricity
Employees in [IT department]Monitor UPS devices and execute information system shutdown as necessary

7.3. Earthquake

The building is evacuated in accordance with the building evacuation plan.

All employees
  • Find shelter under a door frame, close to an inside bearing wall or under a desk
  • Do not use lifts
  • Do not run outside the building until the end of the earthquake
  • In case evacuation is ordered, proceed according to the evacuation plan
Crisis Manager
  • In case people’s lives or health are threatened, order evacuation of the building when the earthquake is over
  • Notify the remote offices to take responsibility for ongoing activities.
Crisis Management Support Team
  • Shut down all utilities – gas, electricity, heating, ventilation, water supply
  • Secure the building and other property

 

7.4. Threat Letter

All employees
  • If you receive a suspicious letter, do not open it, hold it only at its outer edges
  • Put it in an empty envelope
  • Notify BC Coordinator
  • Proceed according to instructions by BC Coordinator
BC Manager
  • Notify the police on 911
  • Notify the superior of the employee who reported about the letter
  • Execute measures as instructed by police

 7.5. Threat Call/ Bomb Threat

All employees
  • If you receive a threat call, write down the exact time and the caller’s telephone number
  • Write down the caller’s exact words
  • Allow the caller to say as much as possible, without interruptions:
    • try to make him/her talk
    • repeat your questions, say you didn’t understand what they were saying
    • if your phone is equipped with a speaker, put the call on speaker and ask someone to take notes
    • repeat each request made by the caller
  • In the case of a bomb threat, ask the caller the following questions:
    • Will the bomb go off? When?
    • Can it be deactivated? How?
    • Where is it located?
    • What does it look like?
    • Why is it placed – what are the requests?
    • Who is calling? Can you introduce yourself?
  • Open office doors only if you are sure that they are not wired to the bomb
  • Do not search the building looking for the bomb! This is the job of the police
  • Do not touch any unknown objects
  • If evacuation is ordered, proceed according to the evacuation plan
Crisis Manager
  • notify the responsible person in the organizational unit targeted by the threat
  • Do not use standard assembly points – select a new assembly point
  • If you assess that the bomb could really go off, order evacuation; assembly point should be at least 300 meters away
  • Notify persons responsible for evacuation and the Crisis Management Support Team about the new assembly point location
  • In case of an explosion, make a decision to get the injured away from the affected area as soon as possible

 

7.6. Telecommunications failure

An employee in the IT department
  • Any employee receives information about the failure
  • As needed, he/she coordinates the process with IT service providers
Employees – users of communications servicesUse alternative means of communication
Crisis Manager
  • Consultation with all relevant services, assessment of incident severity
  • Notify the remote offices to take responsibility for ongoing activities.

7.7. Information system failure

An employee in the IT department
  • Any employee receives information about the incident
  • As necessary, he/she coordinates the process with IT service providers
  • Take necessary measures to prevent or contain the information system incident
Crisis Manager
  • Consultation with all relevant services, assessment of incident severity
  • Notify the remote offices to take responsibility for ongoing activities.
All employeesIf possible, proceed to alternative ways of carrying out activities

7.8. Malicious code attack

An employee in the IT department
  • Any employee receives information about the incident
  • If dealing with an unknown type of malicious code, Canada Center for Cyber Security should be notified:
    Email: contact@cyber.gc.ca
    Toll-Free: 1-833-CYBER-88 (1-833-292-3788)
    Local: 613-949-7048
  • Notify the producer of antivirus software
  • If the external source of malicious code has been identified, contact the person responsible for IT in that organization
  • Coordinate notification of other employees, particularly those who exchanged messages with the infected system
  • As needed, coordinate the process with IT service providers
All employees
  • Physically disconnect any infected PC from the network; disable wireless networks, Bluetooth, etc.
  • do not shut down the network devices and servers – this is the job of people from the IT department
Employees in the IT department
  • If the computer is still not disconnected from the network, assess whether to disconnect it to prevent further infection
  • Disable all wireless connections on the computer
  • Close your software (including the operating system) – for servers, assess whether system users should be notified first
  • Find information about the type of malicious code and necessary steps for its eradication (from the Internet, from the suppliers)
  • Proceed according to received instructions

7.9. Violation of internal or external rules

HR TeamThe procedure is carried out as required by the labor laws regulating disciplinary procedures and the organization’s own disciplinary procedures

 

8. Managing records kept on the basis of this document

Record nameStorage locationThe person responsible for the storageControls for record protectionRetention time
Incident logA shared folder on BOXBC Managersonly BC Coordinator has the right to approve the edit the list3 years

Only BC Coordinator, President, CISO can grant other employees access to the records.

9. Validity and document management

This document is valid as of August 2023.

This document, together with all additional materials, is stored in the following way:

  • the paper form of the document is stored at the following locations: Command Centre, and all alternative sites for activities
  • the electronic form of the document is stored in the following way: Box shared folder with limited access to Crisis Team Members only should be available to team members.

The owner of this document is an Information Security Analyst who must check and if necessary update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • number of incidents not covered by this document
  • whether the steps described in this document are feasible in real situations
  • incident response time

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed