84 lines
2.9 KiB
Markdown
84 lines
2.9 KiB
Markdown
Title: Breach Notification Procedure
|
|
Document ID: [PROC-BREACH-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Breach Notification Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should assess and manage notification obligations arising from suspected or confirmed personal data breaches or other reportable security incidents.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to incidents that may trigger legal, regulatory, contractual, customer, or other formal notification obligations.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure when:
|
|
|
|
- an incident may involve personal data compromise
|
|
- contractual notification requirements may apply
|
|
- customer-owned or supplier-shared information may be affected
|
|
- there is uncertainty about whether notification obligations exist
|
|
|
|
## Procedure Steps
|
|
|
|
1. Receive escalation from incident handling or another authorised source.
|
|
2. Confirm the nature of the incident, the information involved, and the affected parties or environments.
|
|
3. Assess whether legal, regulatory, contractual, customer, or supplier notification obligations may apply.
|
|
4. Identify relevant deadlines, approval requirements, and required content for notification.
|
|
5. Coordinate internal review with appropriate stakeholders, including security, privacy, legal, management, and customer-facing roles as needed.
|
|
6. Prepare and issue notification through the approved channel where notification is required.
|
|
7. Record the decision, rationale, timing, recipients, and any follow-up obligations.
|
|
8. Update the underlying incident record and track resulting actions to completion.
|
|
|
|
## Inputs
|
|
|
|
- incident details and severity assessment
|
|
- affected data or service information
|
|
- contractual and regulatory obligations
|
|
- stakeholder review input
|
|
|
|
## Outputs / Records
|
|
|
|
- notification decision record
|
|
- issued notification or documented no-notification rationale
|
|
- approval evidence
|
|
- follow-up action record
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] must coordinate notification assessment and execution.
|
|
- Incident handlers must escalate potentially notifiable incidents promptly.
|
|
- Relevant stakeholders must review obligations and approve content where required.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate immediately where:
|
|
|
|
- notification deadlines may be at risk
|
|
- facts are incomplete but harm may be ongoing
|
|
- a customer or regulator has already made contact
|
|
- multiple jurisdictions or conflicting obligations may apply
|
|
|
|
This procedure must not be interpreted as legal advice. Legal review should be obtained where appropriate.
|
|
|
|
## Related Documents
|
|
|
|
- Incident Response Policy
|
|
- Security Incident Handling Procedure
|
|
- Privacy and Data Protection Policy
|
|
- Information Transfer Policy
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|