A.16 Information security incident management

A.16 Information security incident management

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson
Sarang Kulkarni

Initiation document

2022-05-23

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.16 Information security incident management from B05 Incident management.

2022-12-13

2.0Edward RobinsonAdditions/changes as part of the annual review.

Only small textual changes.
2023-06-01
3.0
Edward Robinson
Additions/changes as part of the annual review.

Added security@andrea-cloud.com under 16.1.1.

Replaced CTO with management under 16.1.2.

Updated the links for the ISMB action list and responses to the training under Administrations.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the information security incident management policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses (A.16.1).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.16.1 Management of information security incidents and improvements

A.16.1.1 Responsibilities and procedures

“Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.”


Responsibilities:

Management: decision making when the Security Officer escalates, making resources available, reporting to stakeholders.


Security Officer and the anDREa response and handling team: registering incident reports, following-up on incidents, handling incidents, communication, collecting and registering evidence and escalating.


Researchers working in Workspaces and anDREa employees: reporting incidents via the ticketing system in the Security-related incidents department or via security@andrea-cloud.com


Procedures:

The incident management procedure is described in A.16.1.5 Response to information security incidents.


A.16.1.2 Reporting information security events

“Information security events shall be reported through appropriate management channels as quickly as possible.”


anDREa’s management is part of the anDREa response and incident handling team when an information security event is reported. In addition, anDREa’s management is part of the monthly Information Security Management Board (ISMB) meeting. During this meeting, an overview of the ongoing security-related tickets is presented and discussed. A complete overview is presented in the annual Security Management Report.

A.16.1.3 Reporting information security weaknesses

“Employees and contractors using the organisation’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.”


Employees and contractors of anDREa are required to complete the Information Security and Data Protection training upon onboarding. In addition, this training has to be re-completed every year. This training (amongst others) details that all security issues must be reported and where they can report this (anDREa’s ticketing system or via the Security Officer).

In addition to employees and contractors, researchers working in Workspaces are also encouraged to report security incidents via anDREa’s ticketing system. Creating a ticket in the security-related incidents department triggers a workflow which automatically alerts anDREa’s response and handling team, and assigns tasks. Assigned tasks/activities have statuses and due dates. The Security Officer must ensure that the correct information is registered in an incident ticket. There must be a clear description of the incident, which information systems are involved, the impact and mitigation efforts. Evidence is collected and attached to the ticket. Tickets will only be closed when there is a clear resolution/conclusion. 


Moreover, the Security Officer is subscribed to several newsfeeds including the Nationaal Cybersecurity Center (NCSC). The NCSC reports on vulnerabilities. When a vulnerability occurs that is relevant to anDREa (either reported through the NCSC or other channels), the Security Officer reports the vulnerability in the ticket system and handles it according to the set procedure. In addition, an announcement will be published on the login portal of mydre.org stating whether the vulnerability impacts the services of anDREa. anDREa distinguishes the following categories of incidents according to their impact.

  • High

  • Medium

  • Low

  • Unknown

  • N/A


Incidents that fall in the category High should be reported as soon as possible, also outside office hours.


A.16.1.4 Assessment of and decision on information security events

“Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.”


The Security Officer is responsible for the assessment of all (potential) information security incidents and this shall be registered in the associated tickets.

A.16.1.5 Response to information security incidents

“Information security incidents shall be responded to in accordance with the documented procedures.”


The incident management procedure is described in A.16.1.5 Response to information security incidents.

A.16.1.6 Learning from information security incidents

“Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.”


All (information) security tickets are tagged with a number of descriptive tags which are used for detecting trends. When a trend is detected, this is registered and reported through the ISMB meetings or earlier. This ensures that we learn from information security incidents to reduce the likelihood of it happening again. 

A.16.1.7 Collection of evidence

“The organisation shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.”


All (information) security incidents are reported via anDREa’s ticketing system. If the event/incident is reported via a different channel, then the Security Officer ensures that this is registered in the ticket system. Upon registration or reporting, a workflow is activated detailing further tasks for the anDREa response and handling team. The anDREa response and handling team will ensure that all evidence is attached to the relevant ticket.  

Administrations


    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...

    • Contact information

      First version: 2021-09-01 Last updated: 2023-10-13 Last change: Phone number Security Officer This page contains the most up-to-date contact information for serious incidents. Please note the contact information is to be used in emergency settings ...

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...

    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...