The process outlined below should be followed by the appropriate Staff at Planet B2B in the event of an Information Security Incident. Planet B2B shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. Planet B2B shall document each identified Information Security Incident.
Detection and Reporting
Automated Detection
Planet B2B may utilize automated detection means and other technical safeguards to automatically alert Planet B2B of incidents or potential incidents.
Report from Planet B2B Personnel
All Planet B2B personnel must report potential security incidents as follows:
- If you believe an incident occurred or may occur or may have identified a threat, vulnerability, or other security weakness, please report it to the following email immediately: security@PlanetB2B.com;
- Provide all available information and data regarding the potential incident; and
- Once an incident has been submitted, please stop using the affected system, or any other potentially affected device until being given the okay from the SRT
Report from External Source
External sources, including Planet B2B’s customers, who claim to have information regarding an actual or alleged information security incident should be directed to security@PlanetB2B.com.
Employees who receive emails or other communications from external sources regarding information security incidents that may affect Planet B2B or others, security vulnerabilities, or related issues should immediately report those communications to security@PlanetB2B.com and should not interact with the source unless authorized.
Response Procedures
Overview
Responding to a data breach involves the following stages:
- Verification
- Assessment
- Containment and mitigation
- Post-breach response
All of the steps must be documented in an incident log and/or corrective action plan.
The data breach response is not purely linear, as these stages and the activities associated with these stages frequently overlap. Planet B2B must keep a record of any actions the organization takes in responding to the incident and preserve any evidence that may be relevant to any potential regulatory investigation or litigation including through use of an incident log, corrective action plan or other applicable documentation.
(1) Verification
The SRT will work with Planet B2B employees and contractors to identify the affected systems or hardware (such as a lost laptop or USB drive) and determine the nature of the data maintained in those systems or on the hardware.
The SRT will determine the threshold at which events are declared a security incident and officially initiate the incident response process.
(2) Assessment
Following verification of an Information Security Incident, the SRT will determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to Planet B2B and its customers, employees, or others.
The incident assessment must include what employees or contractors were affected, what customers were affected, and what data was potentially exfiltrated, modified, deleted or compromised.
The SRT will work together to assess a priority with respect to the incident based on factors such as whether:
- the incident exposed or is reasonably likely to have exposed data; or
- personally identifiable information was affected and the data elements possibly at risk, such as name or date of birth.
In addition, the SRT will consider whether the disclosure was:
- internal or external;
- caused by a company insider or outside actor; and/or
- the result of a malicious attack or an accident.
Lastly, if an information security breach has occurred, federal/country-wide law enforcement and local law enforcement should be contacted and informed of the breach. Law enforcement should be contacted in alignment with applicable breach notification laws. Internal and/or external general counsel should lead law enforcement communication efforts (in collaboration with SRT). If general counsel is not available, SRT should lead law enforcement communication efforts.
(3) Containment and Mitigation
As soon as Planet B2B has verified and assessed the breach, the SRT must take all necessary steps to contain the incident and return the Planet B2B systems back to their original state and limit further data loss or intrusion.
Such steps may include:
- Acting to stop the source or entity responsible, for example by:
- taking affected machines offline;
- segregating affected systems; or
- immediately securing the area if the breach involves a physical security breach.
- Determining whether other systems are under threat of immediate or future danger.
- Determining whether to implement additional technical measures to contain the data breach, such as changing locks, passwords, administrative rights, access codes, or passwords.
(4) Post-Breach Response
Any post-breach response including external and internal communications, notifications, and further inquiries will depend on the assessment and priority of the data breach.
As part of the final response based on the results of the breach, Planet B2B will review applicable access controls, policies and procedures and determine whether to take any actions to strengthen the organization’s information security program.
Key Learnings
As soon as the incident has been resolved, Planet B2B senior management should meet with the SRT and other relevant team members of the Planet B2B for a post-mortem to better understand the incident that took place, and determine how similar incidents may be prevented in the future.
The retrospective should be documented and key learnings from the retrospective should be presented to all appropriate team members in a timely manner.
Testing
Testing the plan annually is critical to ensuring the plan is effective and practical. Any gaps in the plan that are discovered during the testing phase will be addressed by Planet B2B management. All tests must be thoroughly documented.
Testing of this plan may be performed using the following methods:
Walkthroughs
Team members walk through the steps documented in this plan to confirm effectiveness, identify gaps, bottlenecks or other weaknesses. This walkthrough provides the opportunity to review the plan with a larger subset of people, allowing the team to draw upon an increased pool of knowledge and experiences. Team members should be familiar with procedures, equipment, and offsite facilities.
Table Top Exercises
An incident is simulated so normal operations will not be interrupted. Scenarios of various security incidents are used and this plan is put into action to determine its use and effectiveness.
Validated checklists can provide a reasonable level of assurance for many of these scenarios. Analyze the output of the previous tests carefully before the proposed simulation to ensure the lessons learned during the previous phases of the cycle have been applied.
Exceptions
Planet B2B business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Planet B2B policy. If an exception is needed, Planet B2B management will determine an acceptable alternative approach.
Enforcement
Any violation of this policy or any other Planet B2B policy or procedure may result in disciplinary action, up to and including termination of employment. Planet B2B reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Planet B2B does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.
Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Planet B2B as soon as possible.
The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.
Responsibility, Review, and Audit
This plan will be reviewed and tested on an annual basis. Ensuring that the plan reflects ongoing changes to resources is crucial. This task includes updating the plan and revising this document to reflect updates; testing the updates; and training personnel. Test results will be documented and signed off by Planet B2B management. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.
This document is tested, maintained and enforced by CTO.
This document was last updated on 12/19/2021.