Introduction

AREMIS recognizes the importance of maintaining the confidentiality, integrity, and availability of sensitive information and data assets. Despite our robust information security measures and controls, there is a possibility of security incidents or breaches occurring. This Breach Disclosure Policy outlines the procedures and guidelines to be followed in the event of a security breach.

Definitions

Breach: A breach refers to any unauthorized access, disclosure, loss, alteration, or destruction of sensitive information or data assets, which may compromise the confidentiality, integrity, or availability of such information.

Incident Response Team (IRT): The Incident Response Team consists of designated individuals responsible for assessing, investigating, and managing security incidents and breaches.

Reporting Security Breaches

1. Employees' Responsibilities: All employees, contractors, and third-party service providers must report any suspected or confirmed security breaches to the IRT immediately, following the incident reporting procedure defined by the organization.

2. Incident Response Team: The IRT will be responsible for managing and coordinating breach response activities, including containment, investigation, communication, and recovery efforts.

Breach Assessment and Evaluation

1. Initial Assessment: The IRT will promptly assess and evaluate the reported security breach to determine its nature, scope, and potential impact on sensitive information and data assets.

2. Incident Classification: The breach will be classified based on the severity, potential harm, and the nature of the compromised information. Classification levels may include low, medium, and high, as defined by the organization's risk management framework.

3. Impact Analysis: The IRT will conduct an impact analysis to determine the potential consequences of the breach, including legal, financial, operational, and reputational risks.

Breach Response and Notification

1. Breach Containment: The IRT will take immediate action to contain the breach, prevent further unauthorized access, and mitigate potential damage.

2. Breach Investigation: The IRT will conduct a thorough investigation to determine the root cause, extent of the breach, and the parties affected.

3. Legal and Regulatory Obligations: The organization will comply with all applicable legal and regulatory requirements regarding breach notification, including those outlined in ISO 27001 and other relevant data protection laws.

4. Notification Process: Following the investigation, the IRT will prepare breach notification communications to affected parties, including individuals, regulatory authorities, and other relevant stakeholders, as required by law.

5. Communication Strategy: The IRT will develop a communication strategy to ensure consistent, accurate, and timely information sharing with affected parties, the media (if necessary), and internal stakeholders.

Lessons Learned and Continuous Improvement

1. Post-Breach Analysis: The IRT will conduct a post-breach analysis to identify the underlying causes of the breach, evaluate the effectiveness of existing security controls, and propose remedial actions to prevent future incidents.

2. Remediation and Mitigation: Based on the post-breach analysis, the organization will implement corrective measures and updates to existing security controls, policies, and procedures to mitigate the risk of similar breaches occurring in the future.

3. Training and Awareness: AREMIS will provide ongoing training and awareness programs to educate employees on security best practices, incident reporting, and their responsibilities in maintaining the security of sensitive information.

Policy Review and Updates

This Breach Disclosure Policy will be reviewed periodically, at least annually, to ensure its relevance and effectiveness in addressing evolving security threats and regulatory requirements. Updates will be made as necessary, with the approval of the appropriate stakeholders within AREMIS.