Valid until: 2025-04-10
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Added security@andrea-cloud.com under 16.1.1. Replaced CTO with management under 16.1.2. Updated the links for the ISMB action list and responses to the training under Administrations. |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the information security incident management policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses (A.16.1).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
Management: decision making when the Security Officer escalates, making resources available, reporting to stakeholders.
Security Officer and the anDREa response and handling team: registering incident reports, following-up on incidents, handling incidents, communication, collecting and registering evidence and escalating.
Researchers working in Workspaces and anDREa employees: reporting incidents via the ticketing system in the Security-related incidents department or via security@andrea-cloud.com.
Procedures:
The incident management procedure is described in A.16.1.5 Response to information security incidents.
In addition to employees and contractors, researchers working in Workspaces are also encouraged to report security incidents via anDREa’s ticketing system. Creating a ticket in the security-related incidents department triggers a workflow which automatically alerts anDREa’s response and handling team, and assigns tasks. Assigned tasks/activities have statuses and due dates. The Security Officer must ensure that the correct information is registered in an incident ticket. There must be a clear description of the incident, which information systems are involved, the impact and mitigation efforts. Evidence is collected and attached to the ticket. Tickets will only be closed when there is a clear resolution/conclusion.
Moreover, the Security Officer is subscribed to several newsfeeds including the Nationaal Cybersecurity Center (NCSC). The NCSC reports on vulnerabilities. When a vulnerability occurs that is relevant to anDREa (either reported through the NCSC or other channels), the Security Officer reports the vulnerability in the ticket system and handles it according to the set procedure. In addition, an announcement will be published on the login portal of mydre.org stating whether the vulnerability impacts the services of anDREa. anDREa distinguishes the following categories of incidents according to their impact.
High
Medium
Low
Unknown
N/A
Incidents that fall in the category High should be reported as soon as possible, also outside office hours.
Relevant security-related tickets (authorised personnel only).
ISMB action list (authorised personnel only).
Information Security and Data Protection training responses (authorised personnel only).