Outlines RMS’s procedures and responsibilities for identifying, containing and responding to a data breach.
Overview
This article outlines the procedures and protocols that RMS will follow in the event of a data breach involving the exposure of sensitive personal information to unauthorised parties. It defines the roles and responsibilities of key personnel and provides a comprehensive plan for breach identification, impact assessment, response, and future prevention.
What is a Data Breach?
A data breach refers to any incident involving unauthorised access to data owned by RMS or entrusted to RMS by its customers, vendors, or partners and hosted within RMS-operated data centres.
Such breaches can lead to the theft, loss, or unauthorised disclosure of personal or other sensitive information.
Common causes of data breaches include human error, malicious cyberattacks, and insufficient or improperly enforced access controls.
RMS's responsibilities and obligations in response to a data breach will vary depending on the nature, cause, and impact of the incident.
Response Team & Responsibilities
| Department | Responsibility | Phone | |
|---|---|---|---|
Technical Services |
Identify/contain breach; collect evidence; implement preventative controls |
+61 3 8256 9622 |
|
Support |
Customer point of contact (initial comms and case handling) |
+61 3 8256 9622 |
|
Administration |
Customer notifications (if/when required) |
+61 3 8256 9622 |
Data Breach Plan
In the event of a confirmed or suspected data breach, RMS response teams will follow the procedures outlined below.
These procedures are subject to periodic review and may be updated to reflect evolving best practices in cybersecurity, as well as changes in applicable legal or regulatory requirements.
Identify/Confirm Breach
- A data breach can be caused by either internal or external entities.
- Contact the person who reported the breach.
- Identify how and when the breach was detected.
- Establish if the breach is caused by an external or internal entity.
- Establish if other teams are required to be notified and notify them if necessary.
- Determine the User accounts, IP addresses of the hacker.
- Determine when the first successful attempt was made.
- Determine if any data was modified, such as additional User accounts created.
- Establish the root cause of breach.
Document/Record Evidence of Breach
- Document the following information as evidence using logs and any other tools available.
- User names that are used to access data.
- IP Address information.
- Timestamps of when unauthorized access was gained and / or data access / modification was made.
- If possible identify any modifications to data.
- Collect all other information deemed evidence
- Copy/backup all logs for further analysis.
Measures to Stop Further Data Loss/Theft
- Change passwords of identified user accounts used to gain unauthorized access.
- Disable user accounts if required.
- Restrict access based on IP address if possible.
- Schedule any patches/updates if breach is due to a vulnerability in software.
- Identify if security improvements are required by the software or architecture and implement if necessary.
Evaluate the Risk Associated/Extent of Data Breach
- If the breach can cause further data loss/theft for other customers/vendors/partners or RMS then take similar measures as recorded earlier in "Measures to stop further data loss/theft" for all other entities/systems to ensure security.
- If user accounts and IP address information has been identified then run scans on other systems to ensure no such connections were allowed.
Notification
The nature of breach determines who should be notified.
If the breach directly affects customers then customers must be notified so proper prevention measures can also be taken by them.
- Notify customers through a phone call and follow up with a detailed email outlining all findings and measures taken to prevent any further damage.
- Provide instructions to customers, if any action is required by them, to prevent further damage.
- Notify law enforcement agencies if required.
Prevention
- If the breach was due to an Operating System or third-party application, immediately update the software.
- If an update is not available contact vendor and inform them of incident and seek help to rectify.
- Evaluate current software update guidelines/schedules and make amendments as necessary.
- If the breach was due to RMS software, immediately identify and contact Software Engineering team to fix the issue.
- Schedule downtime and update software as necessary.
- If the fix requires time then put temporary measures in place.
- Actively monitor all systems while a permanent solution is being developed.
- If the breach is due to user error, social engineering attack etc. then educate the end users.
- Harden security such as disable plain text protocols and only allow encrypted communication.
- If security measures were already in place then re-evaluate infrastructure and identify/eliminate any weaknesses.
- If any action is required from other customers to safeguard their data, create a detailed knowledge base article and send out communication to all customers.
Appendix A - Law Enforcement Authorities Contact Information
| Country | Phone | Department |
|---|---|---|
| Australia | 000 | Emergency Services |
| Australia | +61 2 6141 2999 | CERT Australia |
| United States | 911 | Emergency Services |
| United States | (888) 282 0870 | US-CERT |
Comments
0 comments
Please sign in to leave a comment.