Security incident reporting

Posted on 13 March 2019

Charl Marais

Introduction

Security must always be of utmost importance to everybody working at NML. The success and longevity of NML as a business is inextricably tied to the appropriate implementation security policies that safeguard NML and its customers and business partners.

NML IT Management

Charl Marais - charl@nml.co.za
Ryan Barlow - ryan@nml.co.za
Kirsten Manthey - kirsten@nml.co.za

Security Incident Categorization

Security incidents include:

Physical security breaches - Unauthorized parties has attempted to gain or gained physical on premises access to restricted assets, documentation or systems.
Digital breaches - Unauthorized parties has attempted to gained access through digital means to restricted data or systems

Public

This information is general public knowledge. Unauthorized disclosure of this information will not cause problems for NML, and its clients/partners. Examples are marketing materials, freely downloadable content, etc.

Internal Use Only

This information is for use within NML only, or for project communication between NML and clients/partners. Unauthorized disclosure of this information to outsiders may be against laws and regulations, confidentiality agreements, or may cause problems for NML and its clients/partners. This type of information is already widely distributed within NML, or it intended for distribution within NML without advance permission from the information owner. Examples are project scope and requirements documents, billing documents, request for information, sales agreements, etc.

Restricted/Confidential (Privacy Violation)

This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. Unauthorized disclosure of this information may be against laws and regulations, confidentiality agreements, or may cause significant problems for NML and its clients/partners. Decisions about the provision of access to this information requires approval by the information owner. Examples are any data covered by POPI regulations, information specified as private by clients/partners, NML salary information, project source code, etc.

Security Incident Response

Immediate Security Incident Response

The following steps are required upon detection of a possible security incident:

Notify and discuss the incident with NML IT management.
Take immediate appropriate actions (based on discussion with NML IT management) to contain any further potential breaches. That includes actions like shutting down/disconnecting affected systems or components, updated firewalls or network security groups, user rights, etc. It's important to stop any further potential damage until a more clear assessment of the situation can be obtained. It's easier to explain and contain a false positive than to deal with a security breach that was made worse by inaction because an assessment was still being made.
Notify the appropriate contact person(s) at the client or partner (if applicable)
Fill in the IT Security Incident Reporting Form (link to be provided) and send to NML IT management.

Follow-up Security Incident Response

After an security incident has been reported and contained, follow-up actions are required:

Continue monitoring the affected system or components for any further incidents
For code related issues, schedule work for implementation and deployment with high priority on the project backlog.
For infrastructure related issues, implement appropriate changes or schedule work with high priority on the project backlog.
Complete the the IT Security Incident Reporting form (link to be provided) with the appropriate sign-offs