For the purpose of information security in Agile systems, the Company adopts the following policy and stipulates that Internal Compliance and Internal Technical Compliance, together with the responsible person for Internal IT, will constitute the "Incident Response" Team.
This procedure pertains to any event that is potentially capable of causing a breach, loss, and/or alteration of information stored in Agile's computer systems and/or managed by Agile on behalf of its clients, including but not limited to:
- Malware and DDoS attacks
- Unauthorized access
- Internal violations
- Unauthorized privilege escalation
- Theft or loss of devices
If the incident is potentially capable of constituting a "data breach" as defined in Article 35 of the GDPR, the Incident Response Team will inform a Legal Representative of the Company and the DPO to initiate the corresponding procedure.
Assessment and decision
Within 24 hours of the event, the Incident Response Team will provide the Compliance Team with a report on the relevant incident and the possible technical actions.
The incident closure report is an internal document that provides a summary of the following information:
- Date and time of incident closure report communication
- Detected events that led to the opening of the incident record
- Date and time of incident management record opening
- List of investigations conducted to detect and circumscribe the perimeter within which the security breach of ICT (Information and Communication Technology) was identified
- List of damages suffered
- References to evidence substantiating the identification of the damages, without attaching the evidence itself
- Detailed list of ICT assets that have suffered damages (systems, devices, technology chains, applications, etc.)
Summary of observed SLAs (Service Level Agreements) during the incident management process and possible justification for any delays caused Once the ICT assets affected by the event and the associated attack category have been identified, ICT security operators assess the impact of the violation on the ICT assets and/or the information assets of Agile Lab. They use the following evaluative scale:
Severe: Indicates a violation of ICT security policies that results in permanent and irreversible damage to ICT assets and/or Agile Lab's information assets.
- Relevant: Indicates activities associated with the detection of ICT security violations that result in temporary and reversible damage to ICT assets and/or Agile Lab's information assets.
- Significant: Indicates activities associated with the detection of attempted ICT security violations that do not pose a direct threat to ICT assets and/or Agile Lab's information assets. This category includes anomalous user behaviors and applications that do not require specific containment measures, except for monitoring to prevent or contain any subsequent attacks.
- False positive: Indicates theoretically malicious events that do not result in any ICT security violation in the specific context under examination. If events are identified as false positives, the alarm classification process is terminated, and the possibility of filtering such events from the tracking systems should be considered to avoid overburdening incident management activities with repetitive operations. Otherwise, the alarm is classified, and all subsequent activities related to alarm or incident management are carried out.
The Compliance Team is responsible for determining whether an incident has occurred and indicating the remedial actions to be taken.
The criticality assessment of the ICT asset, expressed on a three-value scale (High, Medium, Low), includes analytical activities aimed at evaluating the criticality of the context in which security violation events have been detected. The criticality value of the asset can be derived from the classification of the provided service, determined through appropriate Risk Assessment activities performed on ICT assets, or based on evaluations of the information processed by the systems.
Detection and reporting
In the event of a potential incident, the Compliance Team of the Company must be immediately notified, no later than 5 hours, at firstname.lastname@example.org, which will verify the activation of this procedure.
The above will be recorded in the Data Breach Register maintained by the Company.
The Incident Response Team will monitor the execution of incident remediation actions, if necessary, and provide written updates to the Compliance Team on a periodic basis.
Within 30 days of the incident, the Compliance Team will assess possible improvements and implementations to internal procedures to prevent the recurrence of the same incident.