Data Breach Policy
Data Breach Policy
Updated: Dec. 20, 2023
Small Factory Innovations, Inc. and its affiliates (collectively, “SFI”) make every effort to protect the confidentiality, integrity, and availability of the Confidential Information and Personal Data of employees, customers and vendors. SFI will respond promptly to investigate, contain, and mitigate any security incident that can lead to a Data Breach. Notice of a Data Breach will be provided to affected individuals and/or governmental agencies in accordance with applicable contractual and legal requirements.
- Confidential Information includes all information of SFI, its employees, and its existing and potential customers, not generally known to the public, in printed, electronic, or any other form or medium.
- Personal Data includes any information related to an identified or identifiable natural person. Personal Data includes, but is not limited to: names, addresses, email addresses, and phone numbers.
- Data Breach is defined as the unauthorized acquisition or access of unencrypted Confidential Information or Personal Data that compromises the confidentiality, integrity, or availability of that information. A Data Breach can occur not only virtually through computer networks but also physically through unauthorized access into SFI locations or computers. A Data Breach can also include any breaches that affect third-party vendors that provide services or hosting to SFI.
SFI maintains a Security Incident Response Plan that is based on guidelines from NIST's Computer Security Incident Handling Guide (800-61).
All employees are required to immediately notify the Information Security Manager of any actual or suspected Data Breach – including events that affect third-party vendors. The Security Incident Response Plan will then be followed in order to:
- determine if a Data Breach has taken place, and
- in case a Data Breach has been found, undertake measures to manage the Data Breach.
However, it should be noted that a Data Breach can appear in various forms, so the specific assessment and measures to be taken will always depend on the specific case at hand.
Following the Security Incident Response Plan, the Breach Notification Team is responsible to handle any communication (internal and external) if a Data Breach has been found. In addition, in case the Data Breach involves Personal Data, the Information Security Manager (more specifically the company owner/operator) will notify SFI Legal Team as soon as the Personal Data Breach becomes apparent.
SFI Legal will then follow the Data Breach Notification Process in order to determine if a notification of supervisory authorities and affected data subjects is required.
Notification commitment as data processor
SFI in its role as data processor commits to a notification via email to affected data controllers -customers/partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 48 hours of reasonable suspicion of a Data Breach.
Notification commitment as data controller
SFI in its role as data controller commits to a notification via email:
- to affected SFI employees as this is required by applicable law and following the Data Breach Notification Process.
- to affected customers/vendors/partners, when acting as data controller with regards to their employees' Personal Data, as this is required by applicable law and following the Data Breach Notification Process.
Incident Response Phases
SFI has established a response plan to address a suspected data breach. The phases of that plan are as follows:
SFI has prepared and executed this plan.
- Employees are properly trained regarding their incident response roles and responsibilities the event of a data breach.
- This incident response plan is regularly reviewed and evaluated to ensure it is followed as intended.
Organizations must develop an understanding of their environment to manage cybersecurity risk to systems, assets, data and capabilities. To comply with this Function, it is essential to have full visibility into your digital and physical assets, their interconnections, and defined roles and responsibilities, as well as to understand your current risks and exposure and put policies and procedures into place to manage those risks. SFI has identified access roles as well as those who pose the most risk. Access is limited to users and administrators on a per-role basis, it is monitored and tracked and reviewed regularly. These tracking events are stored for the purpose of identifying risks as well as to evaluate performance. Access logs are generated and saved allowing for deeper review of all activity related to the data stored on this server.
Organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. To comply, your organization must control access to digital and physical assets, provide awareness education and training, put processes into place to secure data, maintain baselines of network configuration and operations to repair system components in a timely manner and deploy protective technology to ensure cyber resilience. SFI limits user and administrative access to the website and server. Limits are enforced based on the user’s role and exposure to data.
- Website Users can only access intended information via HTTP protocol. Website Users cannot upload files or access the data of other users that fall outside of the intended hierarchy.
- Website Administrators are individually granted access based on roles and instructed on use and safety.
- Server Administrators are limited to access based on encrypted key-based login and device location.
Organizations must implement the appropriate measures to quickly identify cybersecurity events. The adoption of continuous monitoring solutions that detect anomalous activity and other threats to operational continuity is required to comply with this Function. Your organization must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyze and prevent cyber incidents in ICS networks. Silas Solution regularly reviews logs for indications of unusual logins. Server functionality including speed and response times are observed for possible unexplained traffic.
Should a cyber incident occur, organizations must have the ability to contain the impact. To comply, your organization must craft a response plan, define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident and incorporate lessons learned into revised response strategies. Non-standard links and access points are identified and permanently blocked from access based on location. Incorrect login attempts are monitored and limited to a specified number of attempts before requiring administrator reset.
Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Your organization must have a recovery plan in place, be able to coordinate restoration activities with external parties and incorporate lessons learned into your updated recovery strategy. Defining a prioritized list of action points which can be used to undertake recovery activity is critical for a timely recovery. SFI performs daily data backups. These backups are additionally stored safely offsite to guard against catastrophic events.