Laserfiche WebLink
SOLICITATION # CH16012 <br />intent of the following is to describe in a broad manner the actions we take in <br />regard to security incidents, their management, tracking and communications <br />in regard to internal policies and procedures. We have an established security <br />incident plan based on internally -developed policies and procedures where <br />documented results of all security incidents occurring during the six month <br />audit period are reviewed and evaluated against the Trust Services Principles <br />of ISAE 3402 and the PCI DSS standards as appropriate. Upon notification of <br />a security incident, a documentation trail is begun by the InfoSec department <br />and an internal ticket is created as the record of reference. The lead security <br />manger calls a meeting including all personnel required to contain and reduce <br />risk and impact appropriate to the nature of the incident. Tasks are assigned <br />with milestones to be met to validate and determine extent of the incident. <br />Communication is made to the Privacy & Security Board to alert principal <br />membership and foster internal cooperation and awareness. An appropriate <br />communication channel to affected customer(s) is determined based on how <br />we were notified of the incident, i.e. from a customer, from an internal report or <br />from a third party report. Communication is made to affected customer(s) to <br />include the nature of the incident, actions taken to contain the incident and <br />potential effects of actions if any, in regard to sustained business process and <br />availability of the system. Any workarounds or hot fixes necessary in the <br />solutions are communicated and scheduled reporting to the customer(s) is <br />established with an identified single point of contact within our company. <br />Based on the nature of the incident, if required, legal counsel present at initial <br />risk & impact meeting, will assist in communicating with law enforcement <br />contacts. The customer is kept informed of the milestones met and at <br />scheduled intervals until the incident is fully contained and no further risk and <br />impact perceived. All incidents are required to be internally managed by <br />InfoSec to include tracking and review on a weekly basis and evaluation of the <br />actions taken in regard to our security concept. All incident reports are <br />presented to and reviewed by the Privacy & Security Board and are formally <br />closed with discussion and evaluation to determine what actions can be taken <br />to prevent similar incidents. Depending on the nature of the incident and <br />impact to customer(s), security incidents are not formally closed by the board <br />until all affected customers are made aware of the incident and appropriate <br />measures to remediate the initial threat are formally communicated. <br />Fieldglass <br />Fieldglass' security team is responsible for managing security incidents and all <br />communication is conducted via the respective account managers to ensure <br />timeliness. The process is defined within the Incident Response Management <br />Standard. <br />Customers are notified of an incident within 48 hours. <br />Hanna <br />SAP will notify via defined communication channels within 36 hours of a <br />confirmed data security breaches to the affected customers. The report will <br />detail the following information: <br />• Details relating to the security incident that has occurred, known at the time <br />of notification. <br />• IT infrastructure and/or application affected by the security incident. <br />• Overview of the performed mitigation actions to restore the security, <br />documented within the incident report form. <br />• All further applicable requirements by country regulations "on obligation to <br />notify" will be met. <br />carahsoft <br />carahsoft <br />