Content

Incident Response Plan

Objective

The objective of this policy is to ensure a consistent and effective approach to the management of Security Incidents, including the identification and communication of Security Events and Security Weaknesses.

INCIDENT RESPONSE POLICY

  • Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to Security and Privacy Incidents.
  • The objectives for Incident management should be agreed upon with management, and those responsible for Incident management should understand the organization’s priorities for handling Incidents.
  • Security and Privacy Events should be reported through appropriate management channels as quickly as possible.
  • Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected Security Weakness or Vulnerability in systems or services.
  • Security and Privacy Incidents should be responded to in accordance with documented Incident Response procedures.
  • Knowledge gained from analyzing and resolving Security and Privacy Incidents should be used to reduce the likelihood or impact of future incidents.
  • Procedures should be defined and applied for the identification, collection, acquisition, and preservation of information, which can serve as evidence.
  • Communication channels should be established well in advance of a Security or Privacy Incident. Include all necessary parties in relevant communication
  • In the event of a Security or Privacy Incident, Data Controllers, government bodies, PII Principals, and other necessary parties should be notified in a reasonable timeframe, and in compliance with regulatory and other applicable requirements and guidance.
  • At no time should investigations into Security or Privacy Events or Incidents be

SCOPE

This document covers the Incident Response process for all identified Security and Privacy Incidents.

The following activities will be covered:

  • Detection
  • Analysis
  • Containment
  • Eradication
  • Recovery
  • Post-Incident Activities

The Incident Response process is considered complete once Information confidentiality, integrity, and/or availability are restored to normal and verification has occurred.

PROCESS OVERVIEW

Detection Phase

In the Detection Phase an internal or external entity, identifies a Security or Privacy Event

Upon observation or notice of any suspected Security or Privacy Event, Personnel shall use reasonable efforts to promptly report such knowledge and/or suspicion to the Information Security Department.

To assess whether a Security or Privacy Event must be reported, Personnel shall consider whether there are indications that:

  • Information was used by unauthorized Personnel or Third Parties.
  • Information has been downloaded or copied inappropriately from LightForce Orthodontics, Inc.s’ computer systems or equipment.
  • Equipment or devices containing Information have been lost or stolen.
  • Equipment or devices containing Information have been subject to unauthorized activity (e.g., hacking, malware).
  • Personal Data has been inappropriately disclosed, accessed or transferred.
  • Ineffective security controls.
  • Breach of information integrity, confidentiality or availability expectations.
  • Human errors.
  • Non–compliance with policies or standards.
  • Breaches of physical security arrangements.
  • Uncontrolled systems change.
  • Malfunctions of software or hardware.
  • Access violations.

Even if Personnel are not sure whether a Security or Privacy Event is an actual Security or Privacy Incident, they are still required to report it as provided herein, as it is better to be cautious than to be compromised.

However, the following information normally shall be supplied:

  • Contact name and information of person reporting the Security or Privacy Event.
  • Date and time the Security or Privacy Event occurred or was noticed.
  • Type and circumstances of the Security or Privacy Event.
  • The type of data, information, or equipment involved.
  • Location of the Security or Privacy Event, data or equipment affected.
  • Whether the Security or Privacy Event puts any person or other data at risk; and
  • Any associated ticket numbers, emails or log entries associated with the Security or Privacy Event.

The Security Incident Response Team, will ensure that the necessary resources are promptly engaged once such notice is received andThe Security Inciden shall use reasonable efforts to analyze the matter and determine whether to proceed with the Analysis Phase of the Incident Response Procedures.

Analysis Phase

1.

The initial response to detection of a Security or Privacy Event is typically the Analysis Phase. In this phase the Security Incident Response Team determines whether a Security or Privacy Event is legitimate by Performing analysis on the information being collected.

2.

The Security Incident Response Team will also identify whether the Security or Privacy Event was the result of an innocent error, or the actions of a potential attacker. If the latter, effort shall be made to identify who the potential attacker may be, by processes such as:

  • Validating the attacker’s IP address.
  • Researching the attacker through search engines.
  • Using incident databases.

3.

The Security Incident Response will notify senior leadership and ensure the appropriate team members are engaged accordingly. The Security Incident Response Team will begin documenting the investigation and gathering evidence. The type of Security or Privacy Incident is based on the nature of the event. Example types are listed as follows:

  • Data exposure.
  • Unauthorized access/Inappropriate role-based access.
  • Distributed Denial of Service/ Denial of Service (DDoS/DoS).
  • Malicious code.
  • Improper usage.
  • Scans/Probes/Attempted access.

If it is determined that a Security or Privacy Incident has not occured, “Post-Incident Activities” may be initiated under the direction of the SIRT.

4.

The Security or Privacy Incident’s potential impact on LightForce Orthodontics, Inc. and/or its clients shall be evaluated and the Security Incident Response Team shall assign an initial severity classification of low, medium, high, or critical to the Security or Privacy Incident.

5.

The Security Incident Response Team shall attempt to determine the scope of the Security or Privacy Incident and verify if the Security or Privacy Incident is still ongoing.

6.

If the Security or Privacy Incident involves malware, the team shall analyze the malware to determine its capabilities and potential impact to the environment. Based on the evidence reviewed, the team will determine if the Security or Privacy Incident requires reclassification as to its severity or cause.

7.

The collection of evidence shall be done with due diligence and the following procedures shall apply:

Gathering and handling of evidence (forensics) shall include:

  • Identifying information (e.g., the location, serial number, model number, hostname, media access control (MAC) address, and IP address of a computer).
  • Name, title, and phone number of everyone who collected or handled the evidence during the investigation.
  • Time and date (including time zone) of each occurrence of evidence handling.
  • Locations where the evidence was stored, and conditions of storage (e.g., locked spaces, surveilled spaces); and
  • Reasonable efforts to create two backups of the affected system(s) using new, unused media — one is to be sealed as evidence and one is to be used as a source of additional backups.

8.

To ensure that evidence is not destroyed or removed, where any Personnel are suspected of being responsible for a Security or Privacy Incident, LightForce Orthodontics, Inc. shall, consistent with its procedures, use reasonable efforts to place monitoring and forensics agents and/or confiscate all computer/electronic assets that have been assigned to the individual.

9.

Where applicable, and depending upon the seriousness of the Security or Privacy Incident, items and areas that shall be secured and preserved in an “as was” condition include:

  • Computer hardware (keyboard, mouse, monitor, CPU, etc.).
  • Software.
  • Storage media (disks, tapes, removable disk drives, CD ROMs, etc.).
  • Documentation (manuals, printouts, notebooks, notepads).
  • In cases of damage, the computer system and its surrounding area, as well as other data storage devices, shall be preserved for the potential collection of evidence (e.g., fingerprinting).

10.

If it is determined that a Security or Privacy Incident has occurred and may have a significant impact on LightForce Orthodontics, Inc. or its clients, the team shall determine whether additional resources are required to investigate and respond to the Security or Privacy Incident.

Containment Phase

The Containment Phase mitigates the root cause of the Security or Privacy Incident to prevent further damage or exposure. This phase attempts to limit the impact of a Security or Privacy Incident prior to an eradication and recovery event. During this phase, the Security Incident Response Team may implement controls, as necessary, to limit the damage from a Security or Privacy Incident. If a Security or Privacy Incident is determined to be caused by innocent error, the Eradication Phase may not be needed. For example, after reviewing any information that has been collected investigating the Security or Privacy Incident the team may:

  • Secure the physical and network perimeter.
  • Connect through a trusted connection and retrieve any volatile data from the affected system.
  • Determine the relative integrity and the appropriateness of backing the system up.
  • If appropriate, back up the impacted system.
  • Change the password(s) to the affected system(s). Personnel, as appropriate, shall be notified of the password change.
  • Determine whether it is safe to continue operations with the affected system(s).

Eradication Phase

The Eradication Phase is the phase where vulnerabilities causing the Security or Privacy Incident, and any associated compromises, are removed from the environment. An effective eradication for a targeted attack removes the attacker’s access to the environment all at once, during a coordinated containment and eradication event. Although the specific actions taken during the Eradication Phase can vary depending on the Security or Privacy Incident, the standard process for the Eradication Phase shall be as follows:

  • Determine the symptoms and cause related to the affected system(s).
  • Eliminate components of the Security or Privacy Incident. This may include deleting malware, disabling breached user accounts, etc.
  • Strengthen the controls surrounding the affected system(s), where possible (a risk assessment will be performed, if needed).
  • If additional issues or symptoms are identified, take appropriate preventative measures to eliminate or minimize potential future compromises.
  • Update the Incident Record with the information learned from the vulnerability assessment, including the cause, symptoms, and method used to fix the problem with the affected system(s).
  • If necessary, escalate to higher levels of support to enhance capabilities, resources, or time-to-eradication.
  • Apprise senior management of progress, as appropriate.

After LightForce Orthodontics, Inc. has implemented the changes for eradication, it is important to verify that the cause of the Security or Privacy Incident is fully eradicated from the environment. The team shall also test the effectiveness of any security controls or changes that were made to the environment during containment and eradication.

Recovery Phase

The Recovery Phase represents the Security Incident Recovery Team’s effort to restore the affected system(s) to operation after the problems that gave rise to the Security or Privacy Incident, and the consequences of the Security or Privacy Incident, have been corrected.

Although the specific actions taken during the Recovery Phase can vary depending on the identified Security or Privacy Incident, the standard process to accomplish this shall be as follows:

  • Execution of the following actions, as appropriate:
    • Installing patches.
    • Rebuilding systems.
    • Changing passwords.
    • Restoring systems from clean backups.
    • Replacing affected files with clean versions.
  • Determination whether the affected system(s) has been changed in any way.
    • If the system(s) has been changed, the system is restored to its proper, intended functioning (“last known good”).
    • If the system(s) has not been changed in any way, but was taken offline (i.e., operations had been interrupted), restart the system and monitor for proper behavior.
  • Implementation of additional monitoring and alerting may be done to identify similar activities.
  • Update the Incident Record with any details determined to be relevant during this phase.
  • Apprise senior management of progress, as appropriate.

## Post-Incident Activities

Communications

Notification

LightForce Orthodontics, Inc. shall use reasonable efforts to provide notice to Personnel and/or affected parties about a Security or Privacy Incident or Data Breach involving the Personal Information and/or client Data of such stakeholders. When publicly disclosing information of a Security or Privacy Incident, the following shall be considered:

  • Was Personal Data compromised?
  • Was client Data compromised?
  • Were legal and/or contractual obligations invoked by the Security or Privacy Incident?
  • What is the organization’s strategy moving forward?

Cooperation with External Investigators

If the team considers it appropriate to inform law enforcement authorities or to retain forensic investigators or other external advisors, the following information shall be collected to provide to such authorities or investigators:

  • To the extent known, details of the:
    • Security or Privacy Incident (date, time, place, duration, etc.).
    • Person(s) under suspicion (name, date of birth, address, occupation/position, employment contracts, etc.).
    • Computer and network log files pertaining to the Security or Privacy Incident(s)
    • “Ownership” details of any Information that is allegedly stolen, altered, or destroyed.
    • The access rights to the computer system involved of the person(s) under investigation.
    • Information obtained from access control systems (e.g., computer logs, door keyfobs, etc.);
    • Any action taken by the IT department in relation to the computer systems concerned, including the date and time.
  • A copy of applicable LightForce Orthodontics, Inc. Data Privacy and Security Statement (“Statement”) in force at the time of the incident (if applicable)
  • Any other documentation or evidence relevant to the internal investigation of the Security or Privacy Incident.

Follow Up

The Follow-up Phase represents the review of the Security or Privacy Incident to look for “lessons learned” and to determine whether the process that was followed could have been improved in any way. Security or Privacy Events and Security or Privacy Incidents shall be reviewed after identification resolution to determine where response could be improved.

The team will meet to review the Security or Privacy Event or Security or Privacy Incident record created, as necessary, and perform the following:

  • Determine the root cause of the Security or Privacy Incident and what shall be done to ensure that the root cause has been addressed.
  • Create a “lessons learned” document and include it with the Incident Record.
  • Evaluate the cost and impact of the Security or Privacy Event or Incident to the organization using applicable documents and any other resources.
  • Determine what could be improved.
  • Communicate these findings to senior management for approval, as necessary, and for implementation of any recommendations made post-review of the Security or Privacy Event or Incident.
  • Carry out recommendations approved by senior management while ensuring that sufficient time and resources are committed to this activity.
  • Close the Security or Privacy Event or Incident.

Retention and Review of Security or Privacy Incident Record & Documentation

It shall be the responsibility of the team to investigate the Security or Privacy Incident and establish an incident record. The incident record shall be verified during the follow up process to ensure that it documents:

  • Relevant factual information or evidence.
  • Consultations with Personnel and external advisors; and
  • Findings resulting from the collection of factual information or evidence obtained.
  • Dates and times when incident-related events occurred.
  • A description of the Security or Privacy Incident, including the systems, programs, networks or types of Information that may have been compromised.
  • Root cause(s) of the Security or Privacy Incident(s), if known, and how they have been addressed.
  • An estimate of the amount of time spent by Personnel working to remediate incident-related tasks.
  • The amount of time spent by Third Parties working on incident-related tasks, including advice from outside counsel.
  • The names and contact information of all individuals providing information in connection with the investigation.
  • Measures taken to prevent future Security or Privacy Incidents, taking into consideration root causes, along with any remediation costs incurred by LightForce Orthodontics, Inc.

Retention and Review of Data Breaches Record & Documentation

It shall be the responsibility of the LightForce Orthodontics, Inc. to notify impacted parties about a Data Breach and to establish a record of the Data Breach with sufficient information to provide a report for regulatory and/or forensic purposes. The Data Breach record shall be verified during the follow up process to ensure that it documents:

  • A description of the Security Incident and/or Privacy Incident.
  • The time period.
  • The consequences of the Security or Privacy Incident.
  • The name of the reporter.
  • To whom the Security or Privacy Incident was reported.
  • The steps taken to resolve the Security or Privacy Incident (including the person in charge and the data recovered); and
  • The fact that the Security or Privacy Incident resulted in unavailability, loss, disclosure, or alternation of Personal Data and/or PII.

Periodic Evaluation of the Program

The processes surrounding incident response shall be periodically reviewed and evaluated for effectiveness. This also involves appropriate training of resources expected to respond to Security or Privacy Events and Incidents, as well as the training of the general population regarding the organization’s expectation of them, relative to security responsibilities.

Security or Privacy Events and Incidents shall be recorded for tracking, analysis, and reporting purposes. The following metrics shall be considered to assess the overall Security or Privacy Incident management program:

  • Overall reduction in time spent responding to Security or Privacy Incidents.
  • Reduction of impact of certain Security or Privacy Incidents.
  • Overall occurrence of Security or Privacy Incidents.
  • Mean time to analysis (MttA)
  • Mean time to resolution (MttR)