Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/breach-notification-procedure.md
Normal file
83
03-procedures/breach-notification-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Breach Notification Procedure
|
||||
Document ID: [PROC-BREACH-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Breach Notification Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should assess and manage notification obligations arising from suspected or confirmed personal data breaches or other reportable security incidents.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to incidents that may trigger legal, regulatory, contractual, customer, or other formal notification obligations.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure when:
|
||||
|
||||
- an incident may involve personal data compromise
|
||||
- contractual notification requirements may apply
|
||||
- customer-owned or supplier-shared information may be affected
|
||||
- there is uncertainty about whether notification obligations exist
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Receive escalation from incident handling or another authorised source.
|
||||
2. Confirm the nature of the incident, the information involved, and the affected parties or environments.
|
||||
3. Assess whether legal, regulatory, contractual, customer, or supplier notification obligations may apply.
|
||||
4. Identify relevant deadlines, approval requirements, and required content for notification.
|
||||
5. Coordinate internal review with appropriate stakeholders, including security, privacy, legal, management, and customer-facing roles as needed.
|
||||
6. Prepare and issue notification through the approved channel where notification is required.
|
||||
7. Record the decision, rationale, timing, recipients, and any follow-up obligations.
|
||||
8. Update the underlying incident record and track resulting actions to completion.
|
||||
|
||||
## Inputs
|
||||
|
||||
- incident details and severity assessment
|
||||
- affected data or service information
|
||||
- contractual and regulatory obligations
|
||||
- stakeholder review input
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- notification decision record
|
||||
- issued notification or documented no-notification rationale
|
||||
- approval evidence
|
||||
- follow-up action record
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- [Role] must coordinate notification assessment and execution.
|
||||
- Incident handlers must escalate potentially notifiable incidents promptly.
|
||||
- Relevant stakeholders must review obligations and approve content where required.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate immediately where:
|
||||
|
||||
- notification deadlines may be at risk
|
||||
- facts are incomplete but harm may be ongoing
|
||||
- a customer or regulator has already made contact
|
||||
- multiple jurisdictions or conflicting obligations may apply
|
||||
|
||||
This procedure must not be interpreted as legal advice. Legal review should be obtained where appropriate.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Incident Response Policy
|
||||
- Security Incident Handling Procedure
|
||||
- Privacy and Data Protection Policy
|
||||
- Information Transfer Policy
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user