Reporting Security Incidents
This document describes and defines the processes for logging and reporting security incidents/breaches involving our customer’s personal data to our customer. Security is a core functional requirement that protects mission critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.
Lanetix recognizes that security responsibilities are shared between our vendors, our partners, our subsidiaries, our customers, and us. Under this shared model, Lanetix provides a globally secure software services.
These processes include a requirement that notifications to impacted customers be communicated with 24 hours when they may involve our customer’s personal data. Meeting this requirement enables our customers to investigate and make the appropriate data breach notifications to regulators within the 72 hour timescale found in GDPR.
Plan and Prepare
Lanetix has identified internal personnel involved in incident management, including those involved in:
- Senior management
- Information security
- Personal data protection
- Risk management and quality assurance
- Technical support
Lanetix has identified external stakeholders, including:
- Service providers
- Regulatory authorities
- Customer liaisons
Lanetix has formalized and tested our internal incident management procedures.
Detect and Report
Lanetix, together with our infrastructure vendors, has set up a monitoring systems to detect current threats, via internal or external sources, and analyse them on a case-by-case basis.
Lanetix, together with our infrastructure vendors, has set up detection devices to alert us to any abnormal, suspicious, and malicious activities, as well as to specifically defined “security events.”
Assess and Decide
After evaluating the information detected and reported on, Lanetix determines whether the particular event rises to the level of an incident, and whether notification of competent authorities or individuals is required under law.
Lanetix documents the incident in an internal registry with facts about the violation, its effects and remediation measures taken.
Resolve and notify
Lanetix must deal with the incident by:
- Identifying and implementing measures to reduce its effects; and
- Notifying competent authorities.
Lanetix must use available notification forms provided by competent authorities, such as:
- breach notification forms
- security incident forms
Lanetix must identify deficiencies and correct them, to reduce the risk of recurrence.
Lanetix must review any and all identified risks and update data protection impact assessments accordingly.