1 Introduction
HIRETT is committed to providing a high-quality experience for all its customers through its training delivery. It encourages a positive environment in which informal contact and feedback from customers is welcomed and where complaints can be dealt with effectively and efficiently. The Security-relates Customer Complaints (Monitoring) Procedure outlines the processes to be used when a customer has cause for concern or found a security breach.
Aims of the Policy
- To provide a clear framework to help anyone who is not satisfied with the company’s services to raise their concerns and to ensure that the company responds effectively.
- To ensure that the company has systems in place to make improvements happen as a result of a complaint.
- To encourage prompt resolution at an early informal stage.
- To ensure that all complaints are dealt with seriously, fairly and sensitively, with no resultant victimisation of a complainant.
- To define responsibilities and allocate duties to individual members of company staff in relation to procedures set out.
Scope
This document should be used by anyone who wishes to make a complaint about our services security.
Third parties with a close connection to the customers, wishing to complain on behalf of the customer, must produce written agreement from the customer stating that they can act on their behalf.
All reports of information security weaknesses or events relating to any of the HIRETT’s information assets and events that should have been reported but were not are within the scope of this procedure. In addition, any events or weaknesses detected using monitoring and alert services that are used to detect information security events, including:
- alerts from intrusion detection;
- intrusion prevention;
- file integrity monitoring systems;
- detection of unauthorised wireless access points together with details of who gathers this information and how it is consolidated;
- customer account unauthorized access.
Fall within the scope of this procedure.
2 Responsibilities
Customers may report information security weaknesses and events using the online complaints forms to the Information Security Manager.
Owners of monitoring and alert services are responsible for reporting those events (or sequences of events) that fall within the scope of this procedure.
The Information Security Manager is responsible for coordinating and managing the response to the any reported weakness or event, including documentation of all emergency steps taken, evidence collection, and closing out the event, as well as for ensuring that the plan is modified in the light of experience and lessons learned and to incorporate security industry developments and changes.
The Information Security Manager is responsible for communication and contact strategies in the event of a compromise including notification of the payment brands.
All technical staff and other employees, contractors or third parties, are required to support the Information Security Manager in dealing with an event or weakness.
The Head of IT (CIO) authorises access to live systems or data.
Asset (owners) carry out actual accesses to live systems or data in dealing with an incident.
The Business Continuity Manager is responsible for the contingency planning components of the Working Instructions identified below, and for ensuring that this incident response plan is tested at least annually.
The Training Manager is responsible for providing whatever training is necessary for all (employees/staff) with responsibilities under this procedure to carry them out. Specifically, those staff with designated responsibilities in terms of the 24/7 incident response must have thorough training that enables them to provide the required service effectively.
The CIO receives all formal complaints and is responsible for logging and monitoring the complaints in accordance with the procedures below.
All instructors and front-line staff have a responsibility for receiving complaints, treating them seriously and dealing with them appropriately. Wherever possible, complaints should be dealt with informally and promptly. All complaints (formal and informal) received by a member of staff must be forwarded to the CIO to be recorded.
The CIO has a responsibility to take a lead role in resolving complaints through investigation (when appropriate) and responding to the complainant.
3 Procedure
- The incident response service is available for 24/7 incident response and monitoring coverage for any evidence of unauthorised activity, detection of unauthorised wireless access points, critical IDS alerts, and/or reports of unauthorised critical system or content file changes.
- The Information Security Manager logs all information security reports immediately upon receipt, allocating to each a unique number and uses this log to ensure that all reports are analysed and closed out.
- All information security events and weaknesses are, immediately upon, assessed and categorised, with reasons, by the Information Security Manager. Initially, there are four categories: events, weaknesses, incidents and unknowns. ‘Events’ are occurrences that, after analysis, have no importance for information security; ‘vulnerabilities’ are weaknesses that, after analysis, clearly exist as significant weaknesses compromising information security; ‘incidents’ are occurrences of events (series of events) that have a probability of compromising the HIRETT’s information security; ‘unknowns’ are those reported events or weaknesses that, after initial analysis, are still not capable of allocation to one of the four categories. The ‘unknowns’ are subject to further analysis to allocate them to one of the other three categories as soon as possible.
- The prioritisation for responses, when there are multiple event reports to deal with, is: incidents, unknowns, vulnerabilities, events. When there are multiple event reports in each category, the Information Security Manager prioritises responses in the light of the criticality of the business systems and information assets at risk, the danger of further compromise to the [organisation]’s information security, and the resources at his disposal. Incidents involving high-value or business critical systems are immediately reported by the Information Security Manager to the Chief Information Security Officer (CISO).
- If systems containing cardholder data are compromised, this matter is to be immediately reported to the acquirer or payment card brands. Visa’s Incident response procedures are as follows:
- Contact Visa immediately.
- Do not access or alter compromised systems, i.e. do not log on, or change passwords.
- Do not turn the compromised systems off. Instead, isolate them from your network and unplug any network cables.
- Preserve all logs and similar electronic evidence.
- Perform a back-up of your systems to preserve their current state – this will also facilitate any subsequent investigations.
- Log all actions taken.
- Specific work instructions set out the necessary containment and corrective action and standing contingency plans in respect of the following types of information security incident:
- Systems failure and loss of service;
- Malware, including viruses;
- Denial of service;
- Errors resulting from poor data;
- Breaches of confidentiality;
- Breaches of information integrity;
- Misuse of information systems;
- Non-standard incidents;
- The contingency plans include:
- Business recovery procedures;
- Disaster recovery procedures;
- Data backup procedures.
The Information Security Manager seeks additional input from qualified technical employees/staff, as necessary and where he considers the standing instructions to be inadequate, to analyse and understand the incident and to identify appropriate actions to contain it and to implement contingency plans.
The Information Security Manager invokes actions as set out in the standing work instructions plus additional activity that he considers necessary to contain and recover from the incident, and to implement contingency plans. Where necessary, the Information Security Manager coordinates activity with other organisations and for informing credit card companies and other relevant authorities. The Information Security Manager confirms that the affected business systems have been restored and that the required controls are operational before authorising a return to normal working.
Once the incident is contained, and the required corrective action is completed, the Information Security Manager reports to the Chief Information Security Officer (CISO) with a summary of the incident, identifying the cause of the incident and analysing its progress, trying to identify how the HIRETT could have responded earlier or more effectively, or preventative action that might have been taken in advance of the information, the effectiveness of the containment and corrective actions and the contingency plans, and how the incident was closed out (see 3.9 below).
The Information Security Manager is responsible for closing out the incident: this includes any reports to external authorities; analysis of legal requirements for reporting compromises/incidents, initiating disciplinary action by referring the incident to the (Head of HR); planning and implementing preventative action to avoid any further recurrence; collecting and securing audit trails and forensic evidence; initiating any action for compensation from software, service (or outsource) suppliers by referring the incident to the Procurement Manager, and communicating with those affected by or involved in the incident about returning to normal working and any other issues.
The Information Security Manager prepares a monthly report to the Information Security Committee which identifies (from the event reporting log) the number, type, category and severity of information security incidents during the preceding month, the cost of containment and recovery, and the total cost of the losses arising from each incident, and recommends (where appropriate) additional controls that might limit the frequency of information security incidents, improve the [organisation]’s ability to respond, and reduce the cost of response.
All the incident reports from the period since the last management review are taken into account at the next one, to ensure that the [organisation] learns from the incidents and that the incident response plan itself is improved on a continuous basis.
Confidentiality
All complaints will be handled sensitively and with discretion. If a customer makes a complaint against a member of staff, that member of staff may be informed about the substance of the complaint so that they are in a position to make a response. The company will not normally investigate anonymous or malicious complaints except in exceptional circumstances and for justifiable reasons. This may be considered if the complainant wishes to remain anonymous in cases of harassment.
Document Owner and Approval
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to (all/specified) members of staff on the (corporate intranet) and is published ( ).
This procedure was approved by the Chief Information Security Officer (CISO) on (date) and is issued on a version controlled basis under his/her signature.
Signature: Date:
Change History Record
Issue | Description of Change | Approval | Date of Issue |
1 | Initial issue | Xx/yy/zz | |
Annex A Complaints Form
Before submitting this form, you should read the company’s Complaints Policy and Procedure, available on our website (www.Hirett.com.uk)
When completed, please send to: If you need help completing this form please call: |
Personal Details: |
Account name: |
Registered email address: |
Declaration: I have read and understood the company Complaints Policy and Procedure
___________________________________ _____/_____/_____ Signature Date (DD/MM/YYY) |
For office use: Date complaint logged DD/MM/YYYY |
Annex B to Policy for Complaints
COMPLAINTS INVESTIGATION SUMMARY FORM
Basic details of complaint: |
(include the basis for the complaint) |
Details of investigation: |
(includes details of investigative processes carried out) |
Declaration: I have concluded this investigation and will inform the complainant of my decision at the earliest opportunity.
___________________________________ _____/_____/_____ Signature Date (DD/MM/YYY) |