Data Breach Response Plan
Last Updated May 2023.
Table of Contents
IntroductionWhat is a Data Breach?Response Team & ResponsibilitiesData Breach PlanIdentify/Confirm BreachDocument/Record Evidence of BreachMeasures to Stop Further Data Loss/TheftEvaluate the Risk Associated/Extent of Data BreachNotificationPreventionAppendix A - Law Enforcement Authorities Contact InformationIntroduction
The purpose of this document is to clearly outline the steps and procedures that RMS will follow in case of a data breach that exposes sensitive personal information to unauthorised entities.
It includes key contact persons and their responsibilities along with detailed identification, evaluation and prevention plan.
What is a Data Breach?
Data breach is the act of gaining unauthorised access to the data belonging to RMS or any of its customers, vendors or partners whose data is hosted with RMS in one of our data centres.
Such data breach may result in data theft or data loss of personal or other sensitive information.
The causes of data breach may include human errors, hacking attacks or inappropriate access controls.
The responsibilities and obligations for RMS vary depending on the causes of such breach.
Response Team & Responsibilities
| Department | Responsibility | Phone | |
|---|---|---|---|
| Technical Services | Take the lead to identify and contain the data breach. | +61 3 8256 9622 | [email protected] |
| Technical Services | Document evidence of the breach. | +61 3 8256 9622 | [email protected] |
| Support | Customer point of contact. | +61 3 8256 9622 | [email protected] |
| Administration | Notify customers if and when required. | +61 3 8256 9622 | [email protected] |
| Technical Services | Develop strategy guidelines to prevent such incidents in the future. | +61 3 8256 9622 | [email protected] |
Data Breach Plan
In case of an identified data breach RMS response teams will follow the below outlined procedure.
This may be updated from time to time to incorporate best practices in IT security or any other legal requirements.
Identify/Confirm Breach
- Data breach can be caused by either internal or external entities.
- Contact the person who reported the breach
- Identify how and when the breach was detected
- Establish if the breach is caused by external or internal entity
- Establish if other teams are required to be notified and notify them if necessary
- Determine the user accounts, IP addresses of the hacker
- Determine when the first successful attempt was made
- Determine if any data was modified such as additional user accounts created
- Establish the root cause of breach
Document/Record Evidence of Breach
- Document the following information as evidence using logs and any other tools available.
- User names that are used to access data.
- IP Address information.
- Timestamps of when unauthorized access was gained and / or data access / modification was made.
- If possible identify any modifications to data.
- Collect all other information deemed evidence
- Copy/backup all logs for further analysis
Measures to Stop Further Data Loss/Theft
- Change passwords of identified user accounts used to gain unauthorized access
- Disable user accounts if required
- Restrict access based on IP address if possible
- Schedule any patches/updates if breach is due to a vulnerability in software.
- Identify if security improvements are required by the software or architecture and implement if necessary
Evaluate the Risk Associated/Extent of Data Breach
- If the breach can cause further data loss/theft for other customers/vendors/partners or RMS then take similar measures as recorded earlier in "Measures to stop further data loss/theft" for all other entities/systems to ensure security.
- If user accounts and IP address information has been identified then run scans on other systems to ensure no such connections were allowed.
Notification
The nature of breach determines who should be notified.
If the breach directly affects customers then customers must be notified so proper prevention measures can also be taken by them.
- Notify customers through a phone call and follow up with a detailed email outlining all findings and measures taken to prevent any further damage.
- Provide instructions to customers, if any action is required by them, to prevent further damage
- Notify law enforcement agencies if required
Prevention
- If the breach was due to an Operating System or third-party application, immediately update the software.
- If an update is not available contact vendor and inform them of incident and seek help to rectify.
- Evaluate current software update guidelines/schedules and make amendments as necessary.
- If the breach was due to RMS software, immediately identify and contact Software Engineering team to fix the issue.
- Schedule downtime and update software as necessary
- If the fix requires time then put temporary measures in place
- Actively monitor all systems while a permanent solution is being developed
- If the breach is due to user error, social engineering attack etc. then educate the end users.
- Harden security such as disable plain text protocols and only allow encrypted communication.
- If security measures were already in place then re-evaluate infrastructure and identify/eliminate any weaknesses.
- If any action is required from other customers to safeguard their data, create a detailed knowledge base article and send out communication to all customers.
Appendix A - Law Enforcement Authorities Contact Information
| Country | Phone | Department |
|---|---|---|
| Australia | 000 | Emergency Services |
| Australia | +61 2 6141 2999 | CERT Australia |
| United States | 911 | Emergency Services |
| United States | (888) 282 0870 | US-CERT |