Security Incident Management Procedure (GDPR)

Transcription

1 Security Incident Management Prcedure (GDPR) PROC-CORP-05

2 Cntent: 1. Objetive Scpe Terms and Definitins Security Incident Management Prcedure n Persnal Data Incident Cmmunicatin Incident Registratin Incident Evaluatin Incident Ntificatin Exceptin t ntificatin/cmmunicatin Respnsabilities Language Cntrl f versins Apprval and entry int frce ANNEX Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 2 / 18

3 1. Objetive The purpse f this dcument is t establish and cmmunicate t all areas f Gnvarri Steel Services (hereinafter, GSS) the prcedure fr ntifying and managing in a standard manner the incidents that may cmprmise the security f the Persnal Data held by GSS, in cmpliance with the General Data Prtectin Regulatins (GDPR). In this regard, Regulatin (EU) 2016/679 f the Eurpean Parliament and f the Cuncil f the Eurpean Unin, adpted n 27 April 2016, n the prtectin f individuals with regard t the prcessing f persnal data and n the free mvement f such data, and repealing Directive 95/46/EC (General Data Prtectin Regulatin), prvides that security incidents invlving Persnal Data must be dcumented and reprted. 2. Scpe This prcedure applies t all the cmpanies that make up the Gnvarri Steel Services Grup, in which the parent cmpany, Gnvarri Crpración Financiera, S.L.U., and all the persnnel f the Gnvarri Steel Services Grup hld a majrity interest, directly r indirectly, in the exercise f their functins and respnsibilities, and in all the prfessinal areas in which they represent the Grup, meaning the directrs, executives, emplyees and cllabratrs f the GSS Grup, regardless f their psitin, respnsibility r gegraphical lcatin In any case, the Grup's actins cmply with the legislatin in frce in each jurisdictin, and therefre, in sme f these jurisdictins, the principles set frth in this plicy may be replaced by mre restrictive laws and regulatins in frce. 3. Terms and Definitins Prcessing Area: The unit respnsible fr prcessing the data assciated with the crrespnding prcessing Privacy Cmmittee: Unidad máxima de reprte en materia de Privacidad. Persnal Data: Any infrmatin cncerning identified r identifiable individuals. Privacy Manager: A natural r legal persn, public authrity, service r ther bdy that, alne r with thers, determines the purpses and means f prcessing Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 3 / 18

4 Incident: Any anmaly invlving the destructin, lss r accidental r unlawful alteratin f persnal data transmitted, stred r therwise prcessed, r unauthrized cmmunicatin r access t such data. Privacy Officer: Is the main persn in charge f cntrlling and supervising cmpliance with privacy and data prtectin regulatins in the rganizatin. Data subject: The persn t whm the data belngs wh is affected by the incident. Data prcessing: Operatins and technical prcedures f an autmated r nn-autmated nature that allw fr the cllectin, recrding, strage, prcessing, mdificatin, blcking and cancellatin, as well as the transfer f data resulting frm cmmunicatins, queries, intercnnectins and transfers 4. Security Incident Management Prcedure n Persnal Data This prcedure will be carried ut in the event f any incident affecting the security f Persnal Data. In any case, the actins described in sectins 4.1 Incident Cmmunicatin, 4.2 Incident Recrding and 4.3 Incident Evaluatin will be carried ut and the actins described in sectin 4.4. Ntificatin f the Incident" in cases where the security incident pses a high risk t the rights and freedms f thse affected. The fllwing graphically shws the general flw fllwed in the prcedure fr managing security incidents regarding Persnal Data: Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 4 / 18

5 4.1 Incident Cmmunicatin All staff are bliged t reprt any security incidents relating t persnal data t the Privacy Officer. This ntificatin will be made thrugh the address Privacy.Incidents@Gnvarri.cm r thrugh the frm placed at the crprtive website. Incidents may ccur in all activities related t the handling and management f infrmatin in physical frmat r lgical databases that stre persnal data, as well as in the develpment f activities that affect the security f the data cntained therein Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 5 / 18

6 The fllwing are sme examples f incidents: Cllect persnal data withut the cnsent f the data subject and withut infrming him/her f his/her rights. Attempted r vilated physical access cntrl and databases. Alter databases (deletin, mdificatin r inclusin f data that may affect the quality f the database). Remving data frm media withut prper authrizatin. Extract data n media ther than thse authrized in the database recrd. Failure t cmply with the prvisins f the Security Dcument fr data recvery. Failure t cmply with the deadlines established t reslve and respnd t requests t exercise the rights f the interested party. Illegally using persnal data. Execute the data recvery prcess. Imprperly manage backups. Lss f tangible assets (wrk phne, laptps, etc.). Inability t access the system with ur usual username/passwrd. Pssibly cmprmised access passwrd. Abnrmal system behaviur (incmplete r unrealistic infrmatin, unexpected failures, etc.). Incidents relating t persnal data are nt limited t autmate prcessing, but als include means f nn-autmated prcessing. Therefre, incidents affecting such media, such as the lss f paper lists cntaining persnal data, must als be reprted and recrded by the system described in this sectin. 4.2 Incident Registratin Once the security incident has been reprted, the fllwing actins will be taken: The Privacy Officer will frmally recrd the security incident. In this regard, at least the fllwing infrmatin shall be detailed: Type f Incident. Descriptin f the Incident. Date and time f the ntificatin. User reprting the incident. If necessary, the Privacy Officer will crdinate with the Privacy Officer t analyse the security incident. In additin, the Privacy Officer may request technical supprt frm department heads during the analysis phase f the incident. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 6 / 18

7 4.3 Incident Evaluatin Once the security incident has been recrded, the fllwing actins will be perfrmed: The Privacy Officer will evaluate the security incident. In the event that the Privacy Officer deems it apprpriate, based n the criticality f the incident, he r she may call a meeting f the Privacy Cmmittee in rder t evaluate the impact f the incident n the grup. The categry r level f criticality f the incident with respect t the security f the affected infrmatin. Fllwing the generic classificatin, we can distinguish between: Critical (affects valuable data, large vlume and in a shrt time) Very High (When yu have the capacity t affect valuable infrmatin, in appreciable quantity) High (When yu have the capacity t affect valuable infrmatin) Medium (When yu have the capacity t affect an appreciable vlume f infrmatin) Lw (Little r n capacity t affect an appreciable vlume f infrmatin). In additin, there may be technical scenaris that may lead t an incident: 0-day (unknw vulnerability): Vulnerability that allws an attacker t access data t the extent that it is an unknwn vulnerability. This vulnerability will be available until the manufacturer r develper reslves it. APT (targeted attack): This refers t different types f attacks that are nrmally aimed at gathering fundamental infrmatin that will allw the cntinuatin f mre sphisticated attacks. This categry includes, fr example, an campaign with malicius sftware t emplyees f a cmpany until ne f them installs it n their cmputer and prvides a gateway t the system. Denial f Service (DS/DDS): It cnsists f flding a system with traffic until it is nt able t prvide service t its legitimate users. Access t Privileged Accunts: The attacker gets access t the system thrugh a user accunt with advanced privileges, which gives him freedm f actin. Previusly, the user name and passwrd must have been btained by sme ther methd, such as a targeted attack. Malicius Cde: Pieces f sftware whse purpse is t infiltrate r damage a cmputer, server, r ther netwrk device fr a variety f purpses. One f the pssibilities fr malicius cde t reach an rganizatin is fr a user t unintentinally install it. Cmprmise f Infrmatin: Cllects all incidents related t access and leakage, mdificatin r deletin f nn-public infrmatin. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 7 / 18

8 Data theft and/r filtratin: Included in this categry is the lss/theft f strage devices with infrmatin. Defacement: It is a type f directed attack that cnsists f the mdificatin f the crprate website with the intentin f psting messages f any kind r any ther intentin. The nrmal peratin f the website is interrupted, causing reputatinal damage. Explitatin f applicatin vulnerabilities: When a ptential attacker successfully explits an existing vulnerability in a system r prduct by cmprmising an rganizatin's applicatin. Scial Engineering: These are deceptin-based techniques, usually carried ut thrugh scial netwrks, which are used t direct a persn's behavir r btain sensitive infrmatin. Fr example, the user is induced t click n a link by thinking it is the right thing t d. If any f these events happens t ccur, the security incident must be reprted: Any lcal data prtectin regulatr. The affected parties 4.4 Incident Ntificatin Ntificatin t the Supervisry Authrity As mentined abve, as sn as the data cntrller becmes aware that a breach in the security f persnal data has ccurred, he must, withut delay and n later than 72 hurs after becming aware f it, make the crrespnding ntificatin t the Supervisry Authrity. A security breach is cnsidered t be recrded when there is a certainty that it has ccurred and there is sufficient knwledge f its nature and scpe. The criterin t be taken int accunt in determining whether an incident has prduced "a breach in the security f persnal data" is included in the GDPR itself, and includes "all thse security breaches that cause the accidental r unlawful destructin, lss r alteratin f persnal data transmitted, stred r therwise prcessed, r the unauthrized cmmunicatin f r access t such data. This cmmunicatin shall be made using the cmmunicatin mdel described in Annex, and shall cntain the fllwing infrmatin: Identifying and cntact data f: Entity / Persn respnsible fr prcessing Data Prtectin Officer (if designated) r cntact persn Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 8 / 18

9 Indicatin f whether the ntificatin is cmplete r partial. In the case f a partial ntificatin, indicate whether it is a first ntificatin r a supplementary ntificatin. Infrmatin abut the persnal data security breach: Date and time f detectin. Date and time f the incident and its duratin Circumstances in which the persnal data security breach has ccurred (e.g. lss, theft, cpying, etc.) Nature and cntent f the persnal data. Summary f the incident that caused the persnal data security breach (with indicatin f physical lcatin and strage medium). Pssible cnsequences and negative effects n thse data subjects affected. Technical and rganizatinal measures taken by the cntrller accrding t paragraph 33.2(d) f the GDPR. Categry f data affected and number f recrds affected. Categry and number f individuals affected. Pssible issues f a crss-brder nature, indicating the pssible need t ntify ther supervisry authrities. If, at the time f ntificatin, it is nt pssible t prvide all the infrmatin, it may be prvided at a later stage, gradually in different stages. The first ntificatin shall be made within 72 hurs, and at least ne final r clsing cmmunicatin shall be made when all the infrmatin relating t the incident is available. When the data cntrller makes the first ntificatin, he r she shall state whether he r she will prvide further infrmatin a psteriri. He may als prvide additinal infrmatin by means f intermediate cmmunicatins t the supervisry authrity at its request, r when the data cntrller cnsiders it apprpriate t update the situatin f the supervisry authrity. Where initial ntificatin is nt pssible within 72 hurs, the ntificatin shall als be made a psteriri and shall state and justify the reasns fr the delay. Ntificatins must be clear, cncise and include the infrmatin necessary fr them t be prperly analysed. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 9 / 18

10 Identificatin f the Supervisry Authrity Where an incident may affect the data f persns in mre than ne Member State, the cntrller shuld make an assessment f which is the main authrity t which the ntificatin shuld be made and, in case f dubt, at least ntify the lcal supervisry authrity where the breach has taken place. It will act as the main supervisry authrity, the main establishment r the sle establishment f the persn respnsible. The criteria fr identifying the main establishment are: The place where the main headquarter f the data respnsible is lcated. The place where decisins abut ends and means are made. At the fllwing link published by WP29, there is the cntact infrmatin fr each supervisry authrity: Ntificatin t the Data Subjects Cncerned As in the previus sectin, in the event f a security incident that pses a high risk t the rights and freedms f thse data subjects cncerned, this shuld be cmmunicated t the affected parties in rder t enable them t take measures t prtect themselves frm the cnsequences f the incident. The Privacy Officer is respnsible fr ntifying the affected parties f the incident and must infrm them f it within a reasnable perid f time. The ntificatin will be made by and will include the fllwing infrmatin: 1. Cntact details f the Data Prtectin Officer, r where apprpriate, the cntact pint where further infrmatin can be btained. 2. General descriptin f the incident and when it ccurred. 3. The pssible cnsequences f the persnal data security breach. 4. Descriptin f persnal data and infrmatin affected. 5. Summary f measures implemented s far t cntrl pssible damage. 6. Other useful infrmatin t thse affected t prtect their data r prevent pssible damage. 4.5 Exceptin t ntificatin/cmmunicatin Ntificatin t the Supervisry Authrity will nt be necessary where the data cntrller can demnstrate, in a reliable manner, that the breach in the security f persnal data des nt pse a risk t the rights and freedms f natural persns. Fr example, if the data were already publicly available and their disclsure des nt entail any risk t the data subject. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 10 / 18

11 Furthermre, cmmunicatin t data subjects will nt be necessary where: The respnsible has taken apprpriate technical and rganizatinal measures, such as data nt being intelligible t unauthrized persns r machines prir t the persnal data security breach (thrugh the use f: state-f-the-art data encryptin, minimizatin, data dissciatin, access t test envirnments withut real data, etc.) Fr example, ntificatin may nt be necessary if a mbile device is lst and the persnal data it cntains is encrypted. Hwever, ntificatin may be required if this is the nly cpy f the persnal data, r fr example, the encryptin key in the pssessin f the data cntrller is cmprmised. The data cntrller has taken prtectin measures that fully r partially mitigate the pssible impact n thse affected and ensure that there is n lnger any pssibility f the high risk materialising. Fr example, by immediately identifying and implementing measures against the persn wh has accessed persnal data befre they culd d anything with it. When ntificatin t thse affected invlves a disprprtinate effrt at the technical and rganizatinal level. Fr example, where cntact details have been lst as a result f the breach, r where a new ntificatin system r prcess needs t be develped, r where excessive internal resurces are required t identify data subjects cncerned. In this situatin, ntificatin will be made publicly thrugh the channels established by the data cntrller. 5. Respnsabilities The fllwing is an allcatin f respnsibilities matrix (RACI) within the prcess f managing security incidents invlving persnal data. In this matrix, ne r mre respnsibilities represented by a letter are assigned t each f the tasks: R (Respnsible): This rle crrespnds t the persn wh actually perfrms the task. A (Accuntable): This rle is respnsible fr the task being perfrmed and is accuntable fr its executin. C (Cnsulted): This rle has sme infrmatin r capacity needed t perfrm the task. I (Infrmed): This rle shuld be infrmed abut the prgress and results f the task executin. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 11 / 18

12 Task/Resurces Cmmunicate the incident Recrd the incident Evaluate the incident Ntifying lcal regulatr Ntifying the affected parties Privacy Cmmittee Privacy Officer Privacy manager Area Respnsible fr prcessing Emplyee I I I I R / A I R / A I / C I I/C R / A I / C I/C I R / A I I A R I I 6. Language This Standard is published in Spanish and English, the frmer being prevalent in case f divergence between the tw. 7. Cntrl f versins Versin Date Descriptin Prepared by Review by Versin 1 30th Octber Initial Versin f the Daniel Lluch Cmpliance 2018 Dcument Cmmittee 8. Apprval and entry int frce This Standard has been apprved by the Cmpliance Cmmittee f Gnvarri Steel Services Grup n Octber the 30th f 2018, and takes effect 20 calendar days after its apprval. As f the entry int frce, the previus prvisins existing in their case that regulate the same cntent are repealed. Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 12 / 18

13 ANNEX Security Breach Ntificatin Frm (AGDP) Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 13 / 18

14 Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 14 / 18

15 Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 15 / 18

16 Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 16 / 18

17 Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 17 / 18

18 Security Incident Management Prcedure (GDPR) (PROC-CORP-05) Página: 18 / 18