Information Security Incident Management

Q: Is there an Incident Management Program that has been approved by management, communicated to constituents, and an owner to maintain and review the program? If yes, please provide the procedure to notify affected third parties.

A: Yes, this is part of our business continuity plan. Affected third parties (customers) are notified via email.

Q: Is there a formal Incident Response Plan?

A: Yes, it is included in our business continuity plan.

Q: Do you have a communication protocol for third parties that could be affected by an incident occurring on your platform?

A: No, as all work is handled internally. The only third-party services used are for servers.

Q: What is the maximum time that can elapse from the time an incident occurs until it is notified to third parties that are or may be affected by the incident?

A: Normally within an hour, but in some cases, it could be much shorter depending on the situation.

Q: Has your organization ever had a security incident or data breach within the past five years?

A: No, and not since 2016, when our software was launched.

Q: Have you conducted any TableTop exercises to simulate a real incident scenario? If yes, indicate the date it was performed, the scenario, and the roles that participated in the test. Were improvement points identified?

A: No, although we have simulated server downtime to validate redundancy. However, we have not conducted a large-scale catastrophe simulation involving multiple offline servers. Regular penetration tests and vulnerability analyses are performed.

Q: Does your organization have insurance to cover some of the expenses of a cybersecurity incident for the products/services offered?

A: Yes, we have $1M in coverage.