1.
Introduction
CompanyX is not immune to information security incidents. These incidents can range from random
cyber-attack, targeted attack or security violation by staff. The impact of these incidents may vary,
however it is important to note that a single instance can result in several risks exposure to the
Company. These may include but are not limited to: huge financial loss, damage to corporate image,
reduction in customer confidence, decline market share, lawsuit etc, or combination of any of these
risks.
2. Purpose
This Policy provides the overall responsibilities and levels of preparedness that are essential to ensure
security incidents are effectively dealt with and to ensure that the incident management process is
improved based on the lessons learnt.
3. Scope
This Policy applies to all incidents related to Company-owned or other 3 rd party computing facilities and
“cloud services” hosted internally, on which CompanyX Corporate Information is stored, accessed,
generated or transmitted. Typical information security incidents include but not limit to: network
intrusion, unauthorized accessed to data, malicious code, theft or loss of information, disruption or
denial of service, website compromise, email spam, loss of computing device, employee security
violation (fraud, information leak, privilege misuse or abuse etc).
4. Exceptions/Limitations
This Policy does not apply to incidents related to personal safety, fire, bomb threats, physical sabotage
or theft. These should be covered by Disaster Recovery/Business continuity plan, Physical Security or
Human Resource policies.
5. Related Documents
This policy must be read in conjunction with the Group Security Incident Management Guideline
document.
6. Definition of Terms Used
Definition of terms used in this document are found in Section 9.0
7. POLICY STATEMENTS:
�The organization’s reaction to an incident can mean the difference between complete recovery and total
disaster. Therefore, the incident management policy is designed to reduce chaos and minimize adverse
impact through early preparedness, detection, containment, quick restoration and to improve current
process to prevent recurrence.
Roles and Responsibilities:
General Staff Responsibility:
Each employee must play an integral role in preparing to combat security incidents whenever they
occur. Staff must be able to determine if the situation is an abnormal event that poses a threat to the
company’s information asset, its customers, employees, partners and other third party persons. To
facilitate this, all staff must participate in security awareness training, use information assets
appropriately and exercise responsible behavior.
Staff must immediately report security incidents to the appropriate channel in keeping with established
incident reporting procedure – Reference the Group Security Incident Management Guideline
document, and make proper record of the incident to assist the incident resolution process.
In all cases, staff, must never take actions that can exacerbate the situation and must be careful never to
disclose incident details to persons who do not need to know about it.
Chief Technical Officer:
The Chief Technical Officer in each market must establish a well-trained Computer Security Incident
Response Team (CSIRT) to manage major incidents. CSIRT team members must have the relevant
skillset, be capable and equipped with all the essential resources available, to effectively deal with the
incident within the shortest possible timeframe. (Reference the Group Security Incident Management
Guideline document for details on CSIRT team composition).
Additional support may be leveraged from external security service provider, as appropriate, or the CTO
must make the necessary arrangements to have CSIRT function effectively provided by a 3rd party
(outsourcing) if the required skills/resources are not available in-house.
CSIRT Lead/Designated Security Personnel:
The CSIRT lead may be the designated Security personnel or other equally capable individual, who can
manage and lead the CSIRT team. This person must ensure this policy is implemented by co-
coordinating activities locally, ensure that incidents are handled in accordance with established
guidelines, and that staff members involved in the incident management process are well informed,
trained and participate in regular security incident drills.
The CSIRT shall make decision as to whether or not to escalate a major security incident to senior
management, whether to collect legally admissible forensic evidence, involve external law enforcement,
and release information. For incidents of significant operational impact a senior manager must
determine if information is to be released in the public domain or if regaining operational integrity is
more important than collecting forensic evidence during an active attack.
All major incidents must undergo formal review and analysis by the CSIRT, to determine root causes,
identify additional controls, and improve future response.
�Refer to the Group Security Incident Management Guidelines for more detail on CSIRT team
responsibilities.
Asset Owners:
All asset owners (usually technical administrator) must ensure that information assets especially those
housing critical information, or revenue generating are securely managed, routinely backup, maintained
in the IT asset inventory and have detective controls (IDS monitoring, logging, audit trail etc) enabled.
Daily monitoring must be performed to detect suspicious activities or security events, which may be
early warning that that a particular incident will soon occur or is actually occurring. All logs must be
preserved in the event this information is required.
It is very important that fallback controls (failover mechanism, power supply, redundancy etc) are
established and routinely inspected, audited, and or tested to guarantee their reliability at the most
crucial time if they are required during an incident.
8.0 Non-Compliance
Non-compliance to this policy will create an environment that makes it difficult to act responsively and
appropriately to events that can threaten the very existence of the company. Therefore, failure to
comply shall be subject to disciplinary action up to and including termination, as determined by damage
caused unless justification is proven otherwise. In the case of 3rd Party, cancellation of contract and or
legal actions shall apply in accordance with their Third Party Agreement.
9.0 Glossary of Terms
The terms used are defined in accordance with the context in which they are used throughout this
Policy:
TERM DEFINITION
Asset Inventory An inventory of IT systems with detailed information about its hardware, software, network
connectivity and other attributes, which provide for easy identification and management of
the asset.
In computer security systems, a chronological record of system resources usage. This
Audit Trail includes user login, file access, other various activities and whether any actual or attempted
security violations occurred, legitimate or unauthorized.
Cyber-attack is any type of offensive maneuver employed by individuals or whole organizations that
targets computer information systems, infrastructures, computer networks, and/or
personal computer devices by various means of malicious acts usually originating from an
anonymous source that either steals, alters, or destroys a specified target by hacking into a
susceptible system
Incident Single or a series of unwanted or unexpected information security events that have a
significant probability of compromising business operations and threatening information
security.
Incident Management Process for managing the incident lifecycle from the incident has been detected until
recovery and normalcy is restored. Activities include identification, analysis, containment,
resolution, post analysis, and lessons learnt to prevent a future re-occurrence. Incident
management activities are normally dealt with by a Computer Security Incident Response
� Team (CSIRT), established beforehand.
Denial of Service Denial-of-service (DoS) attack is an attempt to make a machine or network resource
unavailable to its intended users. Although the means to carry out DoS attack may vary, it
generally consists of efforts to temporarily or indefinitely interrupt or suspend services.
Evidence Everything that is used to determine or demonstrate the truth of an assertion. Evidence is
the means by which one fulfills the burden of proof.
Failover Failover operate by harnessing redundant computer or network to provide continued
service when system components fail or network link is down.
Malicious code Program codes that are designed to interrupt computer operations, cause failure in
hardware, software, corrupt data or allow remote execution. Malicious codes may include
computer virus, Trojans and worms
Network Intrusion Unauthorized access by a computer hacker who manages to exploit weaknesses present in a
computer system, website, or network.
Network resource Any informational systems that is accessible via the corporate network, internet or hosted
remotely on other interconnected 3rd party network.
Privilege Abuse Misuse of one’s access rights to resources, to carryout unauthorized activity such as
information disclosure, revenue fraud, sabotage or other misdeeds.
Security Event Identified occurrence of a system, service or network state indicating a possible breach of
information security, policy or failure of controls, or a previously unknown situation that
may be security relevant.
Any abnormal event that poses a threat to the confidentiality, integrity and availability of
information, computer systems, network infrastructure and services. (An important note:
all incidents are events but many events are not incidents. E.g. A system or application
failure due to age or defect may be an emergency event but a random flaw or failure is not
an incident)
Unauthorized access Access to information resource of which one would not normally have access.
