Home of the Bear Cards
Document TitleQCards Incident Management Policy
Last UpdatedNovember 2020
Next Review 

Incident Management Policy

Qcards is a publishing house dedicated to producing card-based games and activities to enhance social and emotional well-being by providing fun and engaging ways to help people explore their inner selves and to develop new insights into achieving and maintaining a sense of personal well-being.

This policy shall be a constituent part of QCards’s overall information security framework which sets out the framework of governance and accountability for information security and the way in which QCards shall control and manage such information security. QCards takes information security very seriously and understands that it is necessary to take prompt action in the event of any actual or suspected breaches of information security or confidentiality to avoid the risk of harm to individuals (including Staff members, customers and clients), damage to operational business and severe financial, legal and reputational costs to QCards. Action taken by QCards may include appropriately reporting such breaches to governing regulatory bodies within QCards areas, regions and countries of operation, as required, and any other 3rd party providers who have a need-to-know.

Scope

This policy applies to all aspects of QCards’ operations, including contracted vendors involved in activities that cause or require resolution to Incidents. Therefore the scope of this Incident Management Policy shall include the following:

  • All IT-supported locations
  • All environments subject to the Incident Management Policy, as determined by the Management Team (MT) of QCards
  • Vendor-owned Incidents under IT service provider management
  • Vendor/Partner owned Incidents under Vendor management
  • IT service provider owned but Vendor supported Incidents

What may appear to be a physical security or IT issue may also be an Incident and vice-versa. Examples of Incidents can include but are not limited to:

  • Accidental or deliberate disclosure of Protected Information to unauthorised individuals;
  • Unauthorised sharing of Protected Information with an external cloud storage service or contractor;
  • Loss or theft of paper or electronic records, or equipment such as tablets, laptops and smartphones or other devices on which data is stored;
  • Inappropriate access controls allowing unauthorised use of Protected Information;
  • Attempts to gain unauthorised access to computer systems, e.g. hacking;
  • Records altered or deleted without authorisation by the data “owner”;
  • Introduction of malware into a computer or network, e.g. a phishing or ransomware attack;
  • Denial-of-service or other cyber-attack on IT systems or networks;
  • A power outage that affects access to IT systems and information services;
  • “Blagging” offences where Protected Information is obtained by deception;
  • Breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing Protected Information left unlocked in an accessible area;
  • Leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing Protected Information;
  • Audible discussion of confidential topics in public;
  • Covert or unauthorised recording of meetings and presentations.

1.    DEFINITIONS

  • Incident.  For the purposes of this policy, an Incident shall be defined as an event that results in or has the potential (‘near miss’) of affecting the daily operations of QCards. An Incident may include, but shall not necessarily be restricted to, the following
  • An event causing a breach, loss and or corruption of Protected Information, as defined herein, or that has the potential to affect the confidentiality, integrity or availability of the Protected Information;
  • An event which may or may not have the potential to cause financial and/or reputational damage to QCards;
  • Breach of the terms, conditions, policies and requirements of any marketplace platforms used by QCards;
  • An event that requires QCards to respond in a way that is not part of QCards ordinary course of business.
  • Protected Information. Protected Information shall include, but shall not necessarily be limited to:
  • financial information;
  • intellectual property;
  • Staff details;
  • Personally Identifiable Information (PII) of any kind entrusted to QCards for whatever purpose;
  • Any such information as has been entrusted to QCards by third parties;
  • Protected Information created and/or received by QCards in any format whether used in the workplace, stored on portable devices and media, transported from the workplace physically or electronically or accessed remotely;
  • All IT systems managed by, or on behalf of, QCards;  and
  • Any other IT systems on which QCards  information is held or processed regardless of its format or where such is stored.

Protected Information may appear in any format including, but not necessarily limited to paper and electronic documents and records, email, voicemail, still and moving images and sound recordings, the spoken word, data stored on computers or tapes, transmitted across networks, printed out or written on paper, carried on portable devices, sent by post, courier or fax, posted onto intranet or internet sites or communicated using social media. 

  • Encryption. The process of using a cipher, algorithm or other key to convert plain text into cypher text so that it cannot be read without using another key to convert it back into plain text.
  • Users.  This may be Staff members of QCards, developers, any other 3rd party operators or any other such person/business/organisation, as the case may be, who shall, as part of QCards’ business operations, have been granted legitimate access to Protected Information.

2.      PURPOSE

  • The purpose and objective of this Policy is to set out a framework for monitoring, detecting and responding to potential threats and Incidents.  QCards shall incorporate detective and corrective controls and measures into operational practice that are designed to recognise and respond to events and Incidents, minimise adverse impacts, gather forensic evidence (where applicable), and appropriately report any incidents and/or breaches, as may be required, under governance of a regulatory body within QCards’ areas, regions and countries of operation or other such applicable 3rd party requirements that QCards may be required to subscribe to as a result of conducting business. 
  • This policy shall support the prompt and consistent control and management of Incidents in order to minimise any harm to individuals or QCards, to reduce the risk of illegal and unsuitable transactions, in as far as such is in the control of QCards, take corrective action where required, and reduce the risk of future Incidents.
  • This policy and its supporting procedures provide a clear and consistent methodology to help to ensure that actual and suspected Incidents and near misses are:
  • reported promptly and escalated to the right people who can take timely and appropriate action;
  • recorded accurately and consistently to assist investigation and highlight any actions necessary to strengthen information security controls.
  • QCards shall deploy all such lawful and proportionate measures to safeguard Protected Information over which QCards has a responsibility.  This shall include, but not be limited to:
  • monitoring traffic on its IT networks and systems to detect and alert Staff members to actual and potential cyber security attacks and system outages;
  • maintaining adequate logs and evidence to enable investigation of Incidents and preserve the chain of custody where this information is required for legal or evidential purposes;
  • To comply with the provisions of this Policy to enhance the security of QCards’s Protected Information for business purposes and to follow good practice;
  • To ensure a consistent approach to accessing, storing, processing and/or managing the Protected Information;
  • To protect the rights of QCards, its Staff members, Customers, and Clients.

3.     AIMS OF THE POLICY:

  • To set out the process to be followed in relation to incident management across and in relation to the business operations of QCards.  This includes:
  • Monitoring processes and procedures and responding to changes in an effective and transparent way;
  • Detecting and identifying Incidents;
  • Responding to and reporting Incidents and ‘near misses’. QCards’ reporting responsibilities may include processes to be followed as per 3rd party requirements, e.g. Amazon;
  • Investigating and Managing Incidents to protect against future Incidents.
  • To take account of existing internal and statutory reporting requirements and/or any other such applicable 3rd party requirements that QCards may be required to subscribe to as a result of conducting its business online.
  • To ensure that the Protected Information is lawfully, fairly, ethically and transparently accessed, stored, processed and/or managed in accordance with the specific requirements, including legal and regulatory, and the purpose of such Protected Information.  This shall mean:
  • Not accessing, storing, processing and/or managing Protected Information in a way other than has been specifically authorised for operational and/or business process purposes;
  • All Users agree to handle the Protected Information, as required, with such effort as would be made by a reasonable entity of the same and/or similar kind accessing, storing, processing and/or managing Protected Information.
  • Putting measures in place to minimise the risk of any of the Protected Information being breached, this shall include but not be limited to attempts to pirate, duplicate, or compromise such Protected Information;
  • Accessing, storing, processing and/or managing the Protected Information for specific, explicit and legitimate purposes and not further accessed, stored, processed and/or managed in a manner that is incompatible with those purposes (purpose limitation);
  • Being clear about the purpose of accessing, storing, processing and/or managing Protected Information and how this will be done;  and
  • Ensuring that any additional accessing, storing, processing and/or managing of the Protected Information is fair and acceptable.
  • To access, store, process and/or manage the Protected Information in a manner that ensures appropriate security.
  • To protect QCards from the risks of an Incident.

4.    CONTROL AND MANAGEMENT

  • Only Users who have been authorised to access, store, process and/or manage the Protected Information as part of their employment/supplier/owners roles and responsibilities may access such Protected Information.
  • No Protected Information may be shared informally.
  • The MT of QCards will provide training to all Staff members to help them understand their responsibilities when handling Protected Information and what to do in the event of an Incident to ensure that these are dealt with swiftly and efficiently.  This training shall be conducted annually or sooner if there are changes to legal and/or company requirements.
  • Protected Information should not be disclosed to any unauthorised persons, either within QCards or externally.
  • All Users who are given access to Protected Information in whatever format and through whatever medium, shall have a responsibility to:
  • Minimise the risk of vital or confidential Protected Information being lost or falling into the hands of people who do not have the right to see it;
  • Protect the security and integrity of any security measures, including IT systems, in which or on which vital or confidential Protected Information is stored, held and/or processed;
  • Report an Incident promptly so that appropriate action can be taken to minimise damage.
  • The MT is responsible for managing all Incidents.  The MT shall, furthermore, be required to investigate and manage Users who were accountable for maintaining the integrity of the Protected Information.
  • In the event of an Incident or allegation of illegal activity, the MT shall be responsible for authorising the monitoring of User operations. This may include use of computers, email and the internet, and any and all other means necessary to investigate such Incidents. The MT shall also be responsible for reporting such Incidents, where necessary, to the relevant legal authorities and/or governing bodies and/or 3rd parties, as required.
  • The MT of QCards shall be responsible for reporting, investigating and taking appropriate action in response to Incidents, including Incidents relating to IT systems and network security, for escalating major Incidents, as appropriate, maintaining procedures for responding to Incidents, e.g., IT security breach scenarios and records of all Incidents for evidential, audit, analysis and reporting purposes. In all cases where an Incident involves Protected Information, the MT shall immediately investigate and resolve the issue.
  • The MT shall be responsible for investigating and recommending appropriate action in response to any Incidents and shall have oversight of action to be taken in response to loss or compromise of Protected Information, including such systems and devices containing Protected Information. The MT shall be responsible for liaising with the relevant authorities, as appropriate and as required, and reporting Incidents in line with regulatory and/or contractual requirements.
  • The MT shall be responsible for reporting, investigating and taking appropriate action to address Incidents of physical security and suspected attempts to gain unauthorised access to secure areas, and for escalating Incidents that need to be managed in accordance with the provisions of this policy, as applicable.

5.    QCards MAINTAINS PHYSICAL, ELECTRONIC AND PROCEDURAL MEANS TO SAFEGUARD AGAINST INCIDENTS:

  • Physical:
  • All physical records and files containing Protected Information are filed away in secure storage cabinets that can only be accessed by authorised Users.
  • Electronic:
  • Users shall be required to access Protected Information through personally identifiable password protocols.  These are required to be strong passwords that shall never be shared.  Users shall not be permitted to create or use passwords that are shared, generic, or default logins.  QCards shall make provision for regular access reviews and remove Users that no longer require access and/or are no longer authorised to access. 
  • QCards shall have in place sufficient network protections to protect against unauthorised access to Protected Information, including denying access to unauthorised IP addresses and restricted access to approved and authorised Users.
  • Any Protected Information that is transmitted electronically may only be transferred across secure and encrypted lines. 
  • Digitally stored Protected Information may not leave the premises of QCards without being encrypted first.  This shall include laptops, mobile devices, flash drive devices and/or email transmission.  This security control shall be enforced on all external endpoints, as applicable, as well as internal communication channels.
  • QCards shall, within 72 (seventy two) hours of receiving a legitimate request/submission, promptly and securely delete instances of personal/company information, insofar as such is in keeping with the law.  QCards shall, within 90 (ninety) days of such request/submission permanently and securely remove all live instances of such information, as required.  Upon request, QCards shall provide written confirmation that such information has been permanently and securely destroyed.
  • Procedural:
  • Risk Assessments will be carried out annually by the MT. 
  • QCards shall develop and maintain an Incident Plan and Log to monitor and manage Incidents.  The Incident Plan and Log will include details of roles and responsibilities, define Incident types, define Incident response procedures, define escalation procedures, and set out reporting requirements based on the type of Incident and QCards’ legislative, regulatory and contractual reporting responsibilities.
  • QCards shall undertake to comply with all its obligations and responsibilities, as per legislative, regulatory and contractual requirements, insofar as these are applicable to the business operations of QCards
  • Additional risk assessments will be carried out when:
  • New software/hardware is installed;
  • A new procedure is initiated;
  • New suppliers are onboarded;
  • There’s a significant change to an existing procedure or legal, regulatory or contractual requirement.

6.    ROLES AND RESPONSIBILITIES FOR ONGOING SAFEGUARDING

  • This Policy will help QCards and its Staff members to understand their responsibilities in respect of monitoring, detecting and responding to Incidents by being aware of the potential security risks which may include, but are not necessarily limited to:
  • Breaches of confidentiality – information being given out inappropriately;
  • Not complying with password requirements in relation to access to Protected Information; 
  • External piracy attempts;
  • Illegal and/or unsuitable transaction attempts;
  • Not complying with the Protected Information storage requirements.
  • It is the responsibility of all Staff members to ensure that QCards meets its contractual and legal obligations in terms of the provision of services and the operational requirements of the business to maximise the protection and integrity of the Protected Information in its possession as well as the protection and integrity of the business.
  • The MT shall be responsible for the following:
  • Keeping abreast of legislative, regulatory and contractual updates re protection responsibilities, risks and any rising issues/concerns, as applicable;
  • Regularly review QCards’s procedures, both internal and external;
  • Reviewing and approving any and all third party agreements and/or contracts who/that may handle any Protected Information, as required, on behalf of QCards with the aim of ensuring that such third parties’ roles and responsibilities are in line with that of QCards
  • Aiming to ensure that all systems, services and equipment used meet acceptable security standards, including (but not necessarily limited to) encryption requirements, network management requirements, and access management requirements.
  • Regularly monitor and perform regular checks and scans to ensure security hardware and software are functioning properly.
  • Evaluating any third-party services QCards is considering using to access, store, process and/or manage Protected Information, including cloud computing and third party services.

7.    PROCEDURE FOR REPORTING AN INCIDENT:

  • Any Incident is to be reported immediately to Mr John Veeken and then complete an Incident Report (Appendix 1) which shall contain as much information as possible.
  • The Incident Report shall be completed and submitted to Mr John Veeken within 12 (twelve) hours of the occurrence of an Incident, or within 24 (twenty-four) hours of when any Staff member and/or User became aware, or reasonably should have known, of an Incident that occurred. The Incident Report shall include a detailed description of the event, including the date, time, location, individual/s involved, and action taken.
  • The Staff member writing the Incident Report shall sign it and record the date and time it was completed before submitting it to Mr John Veeken.
  • The MT shall review all Incident Reports, verify appropriate follow-up, and then sign the report. When indicated, the MT shall implement corrective action to prevent similar Incidents from occurring, and initiate any reporting obligations, as required.
  • Mr John Veeken shall, within 24 (twenty-four hours) or such other prescribed time frame, whichever is shorter, report the Incident to the relevant statutory, regulatory, or contractual party, as required, e.g. Amazon.  
  • An Incident investigation will begin without unreasonable delay. 
  • If an Incident has occurred, the MT may request action is taken to remove access, data or software from the equipment and/or storage facilities, as applicable. The MT shall have the authority to protect QCards against breaches of any Protected Information as a result of an Incident by whatever means is deemed necessary and reasonable.  

8.    INVESTIGATING AN INCIDENT

  • An investigation will concentrate on identifying what actions or events led to the Incident and identify strategies to ensure that the Incident is addressed and controlled. Outcomes of investigations will be used to strengthen the safety systems and methods of safeguarding.
  • The MT must ensure that the Incident:
  • has been discussed with all parties involved;
  • has been controlled to an acceptable level;
  • has not created any new issues;  and
  • can be considered as controlled and able to be signed off as closed.
  • The MT of QCards shall maintain the chain of custody for all evidences or records collected, and such documentation shall be available, as appropriate and upon request, to any governing body and/or contracting party.

9.    RISK MANAGEMENT AND MITIGATION

  • A member of the MT shall complete the following risk management activities for Incidents:
  • Remedy the cause.
  • Complete and sign off the Incident Report (Appendix 1) and investigation and as required, if applicable.
  • Conduct an analysis to determine the root cause and include corrective actions in the Incident report.
  • Complete the Incident Plan and Log.
  • Update strategies to address risk factors and risk levels.
  • A member of the MT shall implement the following risk mitigation strategies to prevent, reduce and manage the potential and/or severity of future Incidents:
  • Identify risk factors:
  • Incident history.
  • Social environment needs.
  • Physical environment needs.
  • Identify strategies to reduce the frequency of Incidents or reduce the severity of associated effects.
  • Train Staff members on the risk factors and risk mitigation strategies.
  • Implement preventive measures to reduce the level of risk of an Incident or negative outcome from occurring.

Monitor risk mitigation strategies and update the strategies, as needed.

10.   EVALUATION AND MONITORING

  • All accessing, storing, processing and/or managing of Protected Information activities shall be closely and routinely monitored as part of QCards’s risk assessment strategy.
  • The MT shall be responsible for reviewing reports of Incidents and recommending actions where necessary to strengthen security controls and measures in relation to Protected Information.
  • The MT shall monitor and review all information relating to Incidents and make a regular report regarding recommendations for further action and measures to be implemented to ensure the continued safeguarding of Protected Information, insofar as such is practical and reasonable.

11.   COMPLIANCE

  • The MT shall provide specific guidance on matters of compliance as it relates to the Staff member’s roles and responsibilities of employment.
  • Any Incident resulting from abuse and/or breach, including Protected Information, may result in serious financial and/or reputational damage for both QCards and its Users and clients.  Such Incidents may result in penalties for any such abuse and/or breach which QCards shall pursue insofar as these are contractual.  These penalties could include:
  • Civil and /or criminal sanctions which could include financial penalties:  if so regulated by law or contractual obligations.
  • Employer Penalties:  If a Staff member is found to have violated and/or misused Protected Information, through disclosure/breach and/or otherwise, they may be subject to disciplinary action, including termination of employment.

12.   REVIEW

  • This Policy shall be reviewed and updated regularly, at least annually or sooner, to ensure that it remains appropriate in the light of any relevant changes to the law, new threats, organizational policies or contractual obligations. All changes to this Policy will be communicated to all Users.
  • The MT shall be responsible for proposing updates to this Policy which will be reviewed annually and as required.
  • If necessary, proposals will be submitted identifying resources required to improve security measures to support the revised policies.
  • The MT, or such other designated person, shall be responsible for advising appropriate persons on the compliance with this Policy and its associated codes of practice.
  • The Incident Plan and Log document shall be reviewed and, as needed, updated at least every 6 (six) months.

Appendix 1:  Incident Report Form

Job: ____________________________Date of Incident: ___/____/___Time _____am/pm

1. What was the Incident/near miss?

 
 

2. Was any Protected Information compromised?  If yes, provide details.

 
 

3. What measures were taken to secure the Protected Information after the Incident?

 
 

4. Have all relevant and/or interested parties, including the Board and authorities (as applicable), been informed of the Incident?

 
 

5. What caused the Incident?

 
 

6. What actions/measures will be taken to eliminate future repeats of the Incident?

 
 

7. Management Team comments

 
 

8. Possible Staff training opportunities identified as a result of the Incident?

 
 

Signed by reporting Staff Member:

________________________________

Staff member

Date of sign off_________________

Signed off by the authorised member on behalf of the Management Team:

________________________________

Signed on behalf of the Management Team

________________________________

Full name of authorised signatory

Date of sign off_________________

Appendix 2:  Safeguarding Personally Identifiable Information (PII)

At QCards, we endeavour to be transparent about how we use, manage and secure any PII we collect as part of our business processes.  We include herewith a brief statement on the security measures implemented.  For further information on data protection and data management, as well as information on how we collect, use and disclose PII, and your rights in respect of that PII, kindly refer to the relevant policy.

  1. Data Governance

PII is collected and used for various different purposes, including:

  • To provide a service and products
  • To notify of any changes, as required
  • To enable the participation in any of QCards’ interactive features
  • To provide customer care and support
  • To provide analysis of the information to improve services and products
  • To monitor usage, sales and other such statistical information
  • To detect, prevent and address any technical issues
  • To detect, prevent, investigate and address any abnormal use, issues, abuse, etc
  • Marketing promotions

The PII shall only be used for the purpose for which it was provided.  At QCards we will abide by the privacy requirements and laws in relation to the collection, use, storage, and disclosure to which such PII is subject to.

As Protected Information, PII shall be afforded the same safeguarding protection, including storage, access and encryption requirements as Protected Information.  QCards shall maintain back-ups of received PII which shall be recoverable in the event of a data erase or systems crash.

  • Data Logging and Monitoring

PII, like all of QCard’s Protected Information shall be carefully monitored to protect against any security-related Incidents, including unauthorised access, tampering, and configuration changes.  QCards shall maintain an Incident Plan and Log, as per the Incident Management Policy, which shall be monitored and reviewed.

  • Data Retention and Recovery

QCards collects and retains PII only to complete its obligations, e.g. delivery of products, and the PII will only ever be used for the purpose for which it was intended and for as long as such is necessary and in accordance with legal and contractual requirements.  QCards shall maintain back-ups of received PII which shall be recoverable in the event of a data erase or systems crash.

  • Data Encryption and Storage

All Protected Information, including PII, shall be securely stored and subject to stringent access controls, as set out in the Incident Management Policy.  Furthermore, the policy states that Protected Information shall only be transmitted along secure lines in an encrypted format, according to industry best-practice standards.

  • Least Privilege Principle

All QCards’ Protected Information, including PII, and in accordance with the Incident Management Policy, shall be protected under a unique access role-based password, and access shall only be granted on a “need-to-know” basis.

Facebooktwitterpinterest