This policy was last reviewed July 21 2023.
1. Purpose
The purpose of the Peerceptiv Incident Management Policy is to establish the rules and procedures for Peerceptiv’s response to and management of responses to security incidents affecting Peerceptiv Information Resources.
2. Scope
The Peerceptiv Incident Management Policy applies to all Peerceptiv staff and contractors and covers all Peerceptiv Information Resources.
3. Maintenance
This Policy will be reviewed annually or as deemed appropriate based on changes in technology or regulatory requirements.
4. Enforcement
Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Peerceptiv Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the Company. Civil, criminal and equitable remedies may apply.
5. Exceptions
Exceptions to this Policy must be approved by the Chief Technology Officer (“CTO”) and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness with all exceptions reviewed at least annually.
6. Policy
6.1 Reporting
Peerceptiv staff are required to promptly report possible or known information security and confidentially violations to management. Possible incidents include but are not limited to:
- Infrastructure incident: any event considered to be a malicious action that causes a failure, interruption, or loss in availability to any Peerceptiv Information Resource.
- Data incident: any loss, theft, or compromise of Peerceptiv information.
- Unauthorized access incident: any unauthorized access to a Peerceptiv Information Resource.
6.2 Computer Emergency Response Plans
Peerceptiv management will prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.
6.3 Incident Response Plan Contents
The Peerceptiv incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan MUST include:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Identification and coverage for all critical system components
6.4 Incident Response Testing
At least once every year Peerceptiv will test its incident response plans. Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented and shared with key stakeholders.
6.5 Incident Response and Recovery
A security incident response capability will be developed and implemented for all information systems that house or access Peerceptiv controlled information. The incident response capability will include a defined plan and will address all stages of incident response
- To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis.
- Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based upon the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders.
6.6 Intrusion Response Procedures
Peerceptiv staff will document and periodically revise the Incident Response Plan with intrusion response procedures. These procedures include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.
6.7 Reporting to Third Parties
Unless prevented by law or regulation Peerceptiv commits to reporting security incidents to affected third parties and customers. When possible Peerceptiv will inform customers of a possible data breach or disclosure within 48 hours of discovering such a breach. Additionally in the event of a general data breach Peerceptiv will prominently disclose such a breach via standard publication mediums and this website. Where possible Peerceptiv will report incidents to relevant local, state, or federal law enforcement.