1.0 Purpose

The purpose of this policy is to provide guidelines to manage security and privacy incidents that threaten the confidentiality, integrity or availability of information assets. Roboto Studio's business or strategic requirements are to:

• Minimise damage from security incidents and malfunctions; and to monitor and learn from such incidents.
• Ensure that incidents affecting the security of information are reported to and investigated by appropriate management channels as quickly as possible.
• Ensure that all employees and contractors are aware of the procedure for reporting the different incidents that may impact Roboto Studio’s information assets.
• Protect and act responsibly with the security of 3rd party information.

2.0 Scope

The policy applies to all employees, consultants and contractors of Roboto Studio. This policy is also applicable to all types of incidents (including but not limited to ones defined in this policy) related to information assets such as IT systems/services and related support systems of Roboto Studio.

3.0 Definitions

Information security event: Any occurrence related to information assets or the environment indicating a possible compromise of policies, failure of controls, or an unmapped situation that can impact security. Information security incident: Any event that threatens the confidentiality, integrity, or availability of organization systems, applications, data, or networks. Examples of organization systems include, but are not limited to:

• Servers
• Desktop computers
• Laptop computers
• Workstations
• Mobile devices
• Network equipment

Examples of security incidents include, but are not limited to:

• Unauthorized access
• Potential violation of Roboto Studio approved policies
• Potential data and privacy breach
• Leakage of information from a generative-AI prompt
• Intentionally targeted but unsuccessful unauthorized access
• Accidental disclosure of confidential data
• Infection by malware
• Denial-of-Service (DoS) attack
• Theft or loss of an organization system or asset
• Theft or physical loss of computer equipment
• Loss or theft of tablets, smartphones or other mobile devices
• A server known to have sensitive data is accessed or otherwise compromised by an unauthorized party
• A firewall accessed by an unauthorized entity
• A DDoS (Distributed Denial of Service) attack
• The act of violating an explicit or implied security policy
• A virus or worm uses open file shares to infect from one to hundreds of desktop computers
• An attacker runs an exploit tool to gain access to a server's password file
• Any event that affects the availability of our product or service
• Any event that compromises the contractual commitments to our clients
• Failure of information security controls with a likelihood of disrupting business operations

Privacy incident: Any event that has resulted in (or could result in) unauthorized use or disclosure of PII where persons other than authorized users have access (or potential access) to PII or use it for an unauthorized purpose.

4.0 Policy

4.1 Industry Frameworks

This policy aligns with industry standards and frameworks, including:

• NCSC (ncsc.gov.uk (https://www.ncsc.gov.uk/collection/incident-management))
• ICO (ico.org.uk (https://ico.org.uk/for-organisations/accountability-framework/breach-response-and-monitoring/))
• NIST (csrc.nist.gov (https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final))

In accordance with the above incident frameworks, Roboto Studio SHALL use the following high-level process to respond to incidents:

• Triage: Understand the incident and its impact.
• Analyse: Capture and analyse data/information.
• Contain/Mitigate: Stop or lower the impact and prevent the spread of problems.
• Remediate/Eradicate: Fully remove/stop the incident. Confirm successful remediation.
• Recover: Recover data and systems if needed. Resume “business as usual”.
• Review: Review the response and incident to identify improvements.

No two incidents are the same, so the procedure SHALL provide flexibility to cycle between the Contain/Mitigate, Analyse, Remediate/Eradicate steps as needed to resolve the incident.

4.2 Key Contacts, Roles & Responsibilities

The Roboto Studio incident response procedure SHALL include named individuals and contact details covering the following roles: incident response team/provider, IT, Senior Management, Legal, PR, HR, and Insurance. The procedure SHALL document a conference bridge or video call provider to convene the members of the incident response team in the event of urgent incident calls.

4.3 Incident Detection

Adequate detection and triage methods SHALL be deployed to detect and categorise security incidents and data breaches. Detection of security incidents SHALL include:

• Security devices and applications – such as antivirus, EDR or XDR software, and firewalls.
• Staff reporting of incidents – including the initial point of contact for reports.
• Third-party reporting of incidents – including the initial point of contact for reports.

4.4 Triage and Escalation

The Roboto Studio incident response procedure SHALL document the incident escalation criteria. This procedure SHALL include:

• A framework for categorising different incident types (including accidental loss of personally identifiable information).
• A matrix to assess the severity and priority of an incident
• Guidance on legal or regulatory requirements for disclosure and when to engage Roboto Studio legal support and HR.

Specific guidance on the following common scenarios SHALL be included:

• Accidental disclosure of sensitive information
• Detection of Ransomware
• Malware hosted on the Roboto Studio website

4.5 Incident Recording

An incident recording template SHALL be created to record the incident details for future review and lessons learned activities.

4.6 Communication Plan

The Roboto Studio incident response procedure SHALL document a communication plan. The communication plan SHALL include who will communicate with the following groups and under what circumstances:

• Internal stakeholders
• Senior managers
• Third parties
• Individuals as required by GDPR regulations.

4.7 Incident Policy and Procedure Reviews

All high-priority and high-severity incidents SHALL automatically trigger a review of the Roboto Studio incident response procedure. This review SHALL:

• Occur within one week of completing the Recovery step for the incident.
• Determine the effectiveness of the incident response, identifying any areas which can be more effective or efficient implemented.

Separately to the post-incident reviews, this policy and accompanying procedure SHALL be reviewed at least annually by the Roboto Studio CISO and updated as needed to reflect changes to the business or risk environment. Reviews SHALL be recorded in the Version History section of this document.