Incident Response Plan
An “incident” is defined as a suspected or confirmed “data compromise”. A “data compromise” is any situation where there has been unauthorised access to a system or network where cardholder data is collected, processed, stored, or transmitted. For purposes of PCI DSS, a “data compromise” can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data.
Some examples of data compromise incidents that an employee might recognise in their day to day activities include, but are not limited to:
• Theft, damage, or unauthorised access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorised physical entry)
• Inaccurate information within databases, logs, files or paper records
• Card terminals that have been tampered with or substituted
• Computers that have had a suspect device installed to the USB port
Reporting an Incident
Employees are responsible for reporting incidents in their area to their Line Manager and the PCI DSS committee. The PCI DSS Committee will report the incident to the Director of Finance and the chief Financial Officer andany other relevant parties. If you become aware of a suspected or real security incident relating to cardholder data, or a failure in procedure, then you must act immediately.
All communications with law enforcement or the public will be coordinated by the PCI DSS Committee.
The following steps must be immediately followed when a confirmed or suspected incident arises:
• Take measures to ensure that a suspicious card terminal or computer cannot be used such as:
• Disconnecting the terminal’s network cable / telephone line (but DO NOT switch the device off);
• Put a note on the terminal stating that it is ‘not in use’;
• Keep a watchful eye over the device until further information is given.
• Notify the following staff of the confirmed or suspected incident by email, providing details or generalities surrounding the suspected or confirmed incident :
• Your Line Manager
• PCI DSS Committee
Complete an Incident Response form and email to the staff initially notified of the incident. The form should provide as much known details as possible, including the date, time, and the nature of the incident if known. Any information you can provide will aid in responding in an appropriate manner.
Responses may proceed through the following stages – this will be determined by the DPCI DSS Committee:
• Alert all relevant parties, i.e. banking relationship manager, merchant/acquiring bank, regional law enforcement agency;
• Collect and protect information associated with the intrusion;
• In the event that forensic investigation is required, the Income Office will work with legal representatives and management to identify appropriate forensic specialists;
• Eliminate the intruder's means of access and any related vulnerabilities;
• Research potential risks related to or damage caused by intrusion method used;
• Follow Ordinance C2 - Fraud if appropriate;
• Report to Directorate;
• Report to HEFCE;
• Report to the Information Commissioner.
Post Incident Response
Not more than one week following the incident, the PCI DSS Committee and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Any identified areas in which the policy or security control can be made more effective or efficient, must be updated accordingly.
Incident Response Plan Review
It is required that this incident response plan be reviewed and tested annually and revised as needed.