Data Breach Response Policy

- Guidelines and Policies

Download Policy
- Data Breach Response Policy
1. Overview

See purpose.
2. Purpose

The purpose of the policy is to establish the goal and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

The Diocese of Paterson Information Security’s intentions for publishing a Data Breach Response Policy is to focus significant attention on data security. The Diocese of Paterson’s Information Technology team is committed to protecting The Diocese of Paterson’s employees, partners and the organization from illegal or damaging actions by individuals, either knowingly or unknowingly.
3. Scope

This policy applies to all whom collect, access, maintain, distribute, process, protects, stores, uses, transmits, disposes of, or otherwise handles personally identifiable information (PII), payment card information (PCI) or Protected Health Information (PHI) of The Diocese of Paterson’s members. Any agreements with vendors will contain language similar that protects the organization.
4. Policy
- 4.1 Confirmed theft, data breach or exposure of the Diocese of Paterson Protected data or the Diocese of Paterson’s Sensitive data
  - 4.1.1 As soon as a theft, data breach or exposure containing The Diocese of Paterson’s protected data or The Diocese of Paterson Sensitive data is identified, the process of removing all access to that resource will begin. Which must include but is not limited to the following form in either a word document or the monday board within the cybersecurity workspace:
    
    Cyber Security Incident Initial System Triage
    
    Cyber Security Incident Containment
    
    Cyber Security Incident Recovery
    
    Cyber Security Incident Response Incident Summary
  - 4.1.2 If the forms are not completed on Monday, the naming convention of the above lists are as follows: Department_MM-DD-YY_EMPLOYEE_Form
    
    Eg. Technology_8-1-23_JorgeTeixeira_ Incident Initial System Triage.docx
  - 4.1.3 The Director of Technology will chair an incident response team to handle the breach or exposure. Members include:
    
    IT Department
    
    Risk management
    
    Legal
    
    Finance (if applicable)
    
    Communications
    
    Human Resources
    
    The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
    
    Additional departments based on the data type involved, Additional individuals as deemed necessary by the Director of Technology
    
    Managed Service Provider
- 4.2 Confirmed theft, breach or exposure of the Diocese of Paterson data
  - 4.2.1 The Director of Technology will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.
- 4.3 Forensic Investigators Coordination
  - 4.3.1 Forensic Investigators will work with The Diocese of Paterson’s technology, communications, legal, risk management and human resource departments to decide how to communicate the breach to a) internal employees, b) the public, and c) those directly affected.
5. Roles and Responsibilities
- Stakeholders - Stakeholders are those members of the Diocese of Paterson community that have primary responsibility for maintaining any particular information resource. Stakeholders may be designated by any of The Diocese of Paterson Executives in connection with their administrative responsibilities, or by the actual stakeholders, collection, development, or storage of information.
- Director of Technology is that member of the Diocese of Paterson community, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Stakeholders.
- Users include virtually all members of the Diocese of Paterson community to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees and volunteers.
- The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT Department; Communications; Legal; Management; Financial Services, Member Services; Human Resources: Risk Management.
6. Standard Compliance
- 6.1 Compliance Measurement
  The DoP Technology team may verify compliance to this Standard through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the Standard owner.
- 6.2 Exceptions
  All devices should be compliant with cyber insurance standards and local/federal governance standards. Any exception/outliers should be approved by the DoP Technology team in advance.
- 6.3. Non-Compliance
  An employee found to have violated this Standard may be subject to disciplinary action, up to and including termination of employment.
7. Related Standards, Policies and Processes

IBM Breach Response