Incident response process
NT-ware has a comprehensive set of security measures in place to protect customer information and deliver the most reliable, secure services possible. However, we also recognize that security incidents can still occur, so it's equally important to have effective methods for handling them should they arise. We've developed a robust incident response process that incorporates several features, as explained below.
Several avenues to detect potential incidents quickly
We have several monitoring mechanisms in place to detect failures or anomalies within the infrastructure that may indicate a potential security incident. These systems alert us immediately if an activity is detected that requires further investigation. We have an aggregated log capture and analytics platform, which is monitored by the global NT-ware Operations team to ensure it is always available, and to collate logs in a single location so our analysts can investigate quickly and thoroughly. In addition, we create alerts on our communication platform to notify our teams proactively.
An established framework for managing incidents quickly
To ensure our incident response process is consistent, repeatable, and efficient, we have a clearly defined internal framework that outlines the steps we take at each phase. We have documented playbooks that are continually updated, detailing the steps we need to take to respond effectively to different incident types. At a high level, our response framework covers:
- Incident detection and analysis - the steps we take following initial notifications we receive about a potential incident, including how we confirm whether a security incident has occurred (so that we minimize false positives), through to understanding the attack vectors, scope of compromise, and the impact to NT-ware and its customers.
- Incident severity categorization - once we understand what has happened through appropriate analysis, we use this information to determine the severity of the incident. We designate one of four severity levels to an incident, and provide access to external security training programs.
| Severity | Description |
|---|---|
| A | Critical incident with maximum impact |
| B | High incident with very high impact |
| C | Medium incident with significant impact |
| D | Minor incident with low impact |
We use a variety of indicators to determine the severity of an incident – these vary depending on the product involved, but will include consideration of whether there is a total service outage (and the number of customers affected), whether core functionality is broken, and whether there has been any data loss.
- Containment, eradication, and recovery - taking into consideration the incident severity, we then determine and implement the steps necessary to contain the incident, eradicate the underlying causes, and start our recovery processes to ensure we return to business-as-usual as quickly as possible. Naturally, the steps taken in this phase will vary significantly depending on the nature of the incident. If it will benefit our customers or is required by our legal or contractual obligations, NT-ware will also communicate with its customers about the incident and its potential impacts during this phase of the incident response process.
- Notification - In the event of an incident, we follow precise notification procedures, including procedures aimed to ensure our customers are notified without undue delay if their data is involved in a confirmed incident or a breach that may result in a high risk for individuals. This communication begins with NT-ware's confirmation and verification of an incident. Notifications will include the description, impact, nature, and consequences of the breach, relevant contact details from which more information can be obtained, and a description of the measures taken or proposed to mitigate possible adverse effects.
While it is plausible that initial communication might not yet include all the facts, we will ensure that all communications include next steps and timelines for subsequent communication.
Communication from NT-ware will be in email from an @nt-ware.com or from our exclusive Canon distributor in the affected region. We will publish and link to incidents on our public NT-ware Support - Confluence page for verification and validation.
Should a customer become aware of an issue or incident that could impact NT-ware cloud services, the customer is responsible for promptly reporting this via established support channels.
- A robust post-incident review process - once every incident is resolved, we look at what lessons can be learnt from it, which will inform the development of technical solutions, process improvements, and the introduction of additional best practices so that we can continue to provide the best experience for our customers and make the chances of another malicious act’s even harder next time.
Clearly defined roles and responsibilities
Every incident we experience is managed by our Chief Information Security Officer (CISO) and our security team. The most appropriate person, depending on time zone and availability, takes the lead, typically makes security-related decisions, oversees the response process, and allocates internal tasks to facilitate it.
Access to external experts where required
Sometimes, we may need a helping hand from an external expert to assist us with investigating an incident. We retain the services of specialist cyber security consultants and forensic experts for instances where we may require further in-depth forensic analysis or forensic holds for e-discovery in support of litigation.
Tools used to manage security incidents
To aid in the support and management of security incidents, we heavily utilize various software platforms, among other communication tools and systems, which include:
- Confluence – we use Confluence to collaboratively create, document, and update our incident response processes in a central location to ensure those processes are disseminated to all staff and can be quickly updated in response to lessons learnt based on past incidents. We also use Confluence to document our plays and hunts.
- Jira Software – we use JIRA to create tickets for handling both the initial investigation of suspected incidents and to facilitate and track our response process if our initial investigations confirm an incident has taken place. These tickets help us aggregate information about an incident, develop resolutions, and perform other logistical work (such as delegating tasks during the response process and reaching out to other teams within the company when necessary).
- Microsoft Teams - we have dedicated teams and channels that can come together quickly in Microsoft Teams to begin working on an incident. Our status and alerting system can trigger notifications directly into Team channels. All NT-ware Operations and DevOps members have both PC and mobile access to this platform, and we publish alternate communication paths internally in the case our primary system is unavailable.
NT-ware security advisories, products, and services
Regardless of the incident type, communication is critical. This needs to be clear, accessible, and validated at all times. As part of our incident management process, NT-ware will raise a "Security Advisory" for all public incident disclosures. The email communication you receive from NT-ware regarding an incident should include a link to the respective security advisory.