Skip to main content
All CollectionsAdvancedOrganisational DocumentsProcedures
Security Incident Management Framework
Security Incident Management Framework
Updated over 3 years ago

This procedure will be carried out in the event of any incident affecting the security of Personal Data. In any case, the actions described in sections

  1. Incident Communication

  2. Incident Recording

  3. Incident Evaluation will be carried out and the actions described in section

  4. Notification of the Incident in cases where the security incident poses a high risk to the rights of those affected.

The following process shows the general flow followed in the procedure for managing security incidents regarding Personal Data:

Incident Communication

· All Event Hub employees and contractors are obliged to report any security incidents relating to personal data to the Data Protection Officer(DPO).

This notification will be made through the email address info@eventhub.com.au or through any other formal communication channel.

· Incidents may occur in all activities related to the handling and management of information in physical format or logical databases that store personal data. Further scenarios that can be considered as a data breach, please refer to the “Definitions Section” of this document.

Incident Recording

Once the security incident has been reported,

• The Data Protection Officer will formally record the security incident. In this regard, at least the following information shall be detailed:

Type of Incident.
Description of the Incident.
Date and time of the when Incident was observed.

User reporting the incident.

• If necessary, the Data Protection Officer may request technical support from internal and external authorities to analyze and identify the impact of the incident.

Incident Evaluation

Once the security incident has been recorded, the following actions will be performed:

· The Protection Officer will evaluate the security incident.

· The category or level of criticality of that incident will be determined by the Data Protection Officer. Following classification helps in identifying the severity of security breaches.

Category

Description

Critical

Affects a large volume of valuable data in a short time.

Very High

When you have the capacity to affect valuable information, in appreciable quantity

High

When you have the capacity to affect valuable information

Medium

When you have the capacity to affect an appreciable volume of information

Low

Little or no capacity to affect an appreciable volume of information

In addition, there may be technical scenarios that may lead to an incident:

0-day (Unknown Vulnerability):

The 0-day vulnerability allows an attacker to access data to the extent that it is an unknown vulnerability. This vulnerability will be available until the manufacturer or developer resolves it.

APT (Targeted Attack):

This refers to different types of attacks that are normally aimed at gathering fundamental information that will allow the continuation of more sophisticated attacks. This category includes, for example, an email campaign with malicious software to employees of a company until one of them installs it on their computer and provides a gateway to the system.

Denial of Service (DoS/DDoS):

It consists of flooding a system with traffic until it is not able to provide service to its legitimate users.

Access to Privileged Accounts:

The attacker gets access to the system through a user account with advanced privileges, which gives him freedom of action. Previously, the user name and password must have been obtained by some other method, such as a targeted attack.

Malicious Code:

Pieces of software whose purpose is to infiltrate or damage a computer, server, or another network device for a variety of purposes. One of the possibilities for malicious code to reach an organization is for a user to unintentionally install it.

Compromise of Information:

Collects all incidents related to access and leakage, modification or deletion of non-public information.

Data theft and/or filtration:

Included in this category is the loss/theft of storage devices with information.

Defacement:

It is a type of directed attack that consists of the modification of the corporate website with the intention of posting messages of any kind or any other intention. The normal operation of the website is interrupted, causing reputational damage.

Exploitation of application vulnerabilities:

When a potential attacker successfully exploits an existing vulnerability in a system or product by compromising an organization's application.

Social Engineering:

These are deception-based techniques, usually carried out through social networks, which are used to direct a person's behavior or obtain sensitive information. For example, the user is induced to click on a link by thinking it is the right thing to do.

If any of these events happen to occur, the security incident must be reported:

  1. Any local data protection regulator.

  2. The affected parties

Incident Notification

Notification to the Supervisory Authority

As soon as the data controller becomes aware that a breach in the security of personal data has occurred, he must, without delay and no later than 72 hours after becoming aware of it, make the corresponding notification to the Supervisory Authority.

A security breach is considered to be recorded when there is a certainty that it has occurred and there is sufficient knowledge of its nature and scope.

The criterion to be taken into account in determining whether an incident has produced "a breach in the security of personal data" is included in the GDPR itself, and includes "all those security breaches that cause the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data.

This communication shall be made using the communication model described as below, and shall contain the following information:

  • Identifying and contact data of:

  • Entity / Person responsible for processing

  • Data Protection Officer (if designated) or contact person

  • Indication of whether the notification is complete or partial. In the case of a partial notification, indicate whether it is a first notification or a supplementary notification. Information about the personal data security breach:

  • Date and time of detection.

  • Date and time of the incident and its duration

  • Circumstances in which the personal data security breach has occurred (e.g. loss, theft, copying, etc.)

  • Nature and content of the personal data.

  • Summary of the incident that caused the personal data security breach (with an indication of physical location and storage medium).

  • Possible consequences and negative effects on those data subjects affected.

  • Category of data affected and the number of records affected.

  • Category and number of individuals affected.

  • Possible issues of a cross-border nature, indicating the possible need to notify other supervisory authorities.

If at the time of notification, it is not possible to provide all the information, it may be provided at a later stage, gradually in different stages. The first notification shall be made within 72 hours, and at least one final or closing communication shall be made when all the information relating to the incident is available.

When the data controller makes the first notification, he or she shall state whether he or she will provide further information a posteriori. He may also provide additional information by means of intermediate communications to the supervisory authority at its request, or when the data controller considers it appropriate to update the situation of the supervisory authority.

Where initial notification is not possible within 72 hours, the notification shall also be made a posteriori and shall state and justify the reasons for the delay.

Notifications must be clear, concise, and include the information necessary for them to be properly analyzed.

Identification of the Supervisory Authority

Where an incident may affect the data of persons in more than one Member State, the controller should make an assessment of which is the main authority to which the notification should be made and, in case of doubt, at least notify the local supervisory authority where the breach has taken place. It will act as the main supervisory authority, the main establishment, or the sole establishment of the person responsible.

The criteria for identifying the main establishment are:

The place where the main headquarters of the data responsible is located.

The place where decisions about ends and means are made.

Notification to the Data Subjects Concerned

In the event of a security incident that poses a high risk to the rights and freedoms of concerned data subjects, this should be communicated to the affected parties in order to enable them to take measures to protect themselves from the consequences of the incident.

The Data Protection Officer is responsible for notifying the affected parties of the incident and must inform them of it within a reasonable period of time.

The notification will be made by email and will include the following information:

1. Contact details of the Data Protection Officer(DPO), or where appropriate, the contact point where further information can be obtained.

2. General description of the incident and when it occurred.

3. The possible consequences of the personal data security breach.

4. Description of personal data and information affected.

5. Summary of measures implemented so far to control possible damage.

6. Other useful information to those affected to protect their data or prevent possible damage.

An exception to Notification/Communication

  • Notification to the Supervisory Authority will not be necessary where the data controller can demonstrate, in a reliable manner, that the breach in the security of personal data does not pose a risk to the rights and freedoms of natural persons.

  • For example, if the data were already publicly available and their disclosure does not entail any risk to the data subject.

  • Furthermore, communication to data subjects will not be necessary where:

  • Responsible has taken appropriate technical and organizational measures, such as data not being intelligible to unauthorized persons or machines prior to the personal data security breach (through the use of state-of-the-art data encryption, minimization, data dissociation, access to test environments without real data, etc.)

  • For example, notification may not be necessary if a mobile device is lost and the personal data it contains is encrypted.

  • However, notification may be required if this is the only copy of the personal data, or for example, the encryption key in the possession of the data controller is compromised.

  • The data controller has taken protection measures that fully or partially mitigate the possible impact on those affected and ensure that there is no longer any possibility of the high risk materializing. For example, by immediately identifying and implementing measures against the person who has accessed personal data before they could do anything with it.

If all the user data is lost and notification can’t be sent to affected Data Subjects

OR

If the effort that is required to identify the affected Data Subjects in that case and the Security Breach Notification should be made public through established channels including Website, Social Media, or any other means.

Did this answer your question?