/Security Incident Response

Security Incident Response

The ErgoPlus Security Team provides 24x7x365 coverage to respond quickly to all security and privacy events. In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible.

Our Security Team reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.

The following is our detailed incident response plan:

1. If the person discovering the incident is not a member of the Security Team, they will contact the Security Team using the #security channel in the company communications application (Slack), emailing security@ergo-plus.com, or using the company contact list to reach a Security Team member by phone. The following are possible sources who may discover an incident, and have been provided with the appropriate contact information and procedures to follow.

Customer support representatives
Sales representatives
ErgoPlus Injury Prevention Specialists
Leadership team
IT staff

2. The Security Team member who receives the communication (or discovered the incident) will refer to their contact list for both management personnel to be contacted and incident response members to be contacted. The ErgoPlus Security team member will contact those designated on the list. The ErgoPlus Security team member will contact the incident response manager using email, phone, and Slack messages while being sure other appropriate and backup personnel and designated managers are contacted. The ErgoPlus Security team member will log the following information:

The name of the person who discovered the incident.
Time of the report.
Contact information of the person who discovered the incident.
The nature of the incident
What systems or persons were involved?
How the incident was detected.
When the event was first noticed that supported the idea that the incident occurred.
Is the system affected business critical?
What is the severity of the potential impact?
Any information about the origin of the attack.

3. Contacted members of the response team will meet and determine a response strategy.

Is the incident real or perceived?
Is the incident still in progress?
What data or property is threatened and how critical is it?
What is the impact on the business should the attack succeed? Minimal, serious, or critical?
What system or systems are targeted?
Is the response urgent?
Can the incident be quickly contained?
Will the response alert the attacker and do we care?
What type of incident is this, eg virus, worm, intrusion, abuse, damage?

4. An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:

Category one – A threat to public safety or life.
Category two – A threat to sensitive data
Category three – A threat to computer systems
Category four – A disruption of services

5. Team members will establish and follow one of the following procedures basing their response on the incident assessment:

Worm response procedure
Virus response procedure
System failure procedure
Active intrusion response procedure – Is critical data at risk?
Inactive Intrusion response procedure
System abuse procedure
Property theft response procedure
Website denial of service response procedure
Database or file denial of service response procedure
Spyware response procedure.
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.

6. Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence.

7. Team members will restore the affected system(s) to the uninfected state.

8. Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.

9. Upon management approval, the changes will be implemented

10. Documentation: the following shall be documented:

How the incident was discovered.
The category of the incident.
How the incident occurred, whether through email, firewall, etc.
Where the attack came from, such as IP addresses and other related information about the attacker.
What the response plan was.
What was done in response?
Whether the response was effective.

11. Evidence Preservation: make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.

12. Notify proper external agencies: notify the police and other appropriate agencies if prosecution of the intruder is possible.

13. Assess damage and cost: assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.

14. Review response and update policies: plan and take preventative steps so the intrusion can’t happen again.

Consider whether an additional policy could have prevented the intrusion.
Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
Was the incident response appropriate? How could it be improved?
Was every appropriate party informed in a timely manner?
Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, antivirus updated, email policies set, etc.?
Have changes been made to prevent a new and similar incident?
Should any security policies be updated?
What lessons have been learned from this experience?