Professional Documents
Culture Documents
Security Incident Reporting SOP
Security Incident Reporting SOP
Notice:
Version 3.00
(Publication Scheme)
Compliance Record
Version 3.00
(Publication Scheme) 2
Contents
1. Purpose
5. Incident Management
8. Recording
9. External Reporting
Appendices
Version 3.00
(Publication Scheme) 3
1. Purpose
1.1 This Standard Operating Procedure (SOP) supports the Police Service of
Scotland, hereafter referred to as Police Scotland:
Information Security Policy.
Data Protection Policy
1.2 HMG Security Policy Framework (SPF) requires Police Scotland to put in
place effective systems for detecting, reporting and responding to information
security incidents:
“Policies and processes will be in place for reporting, managing and
resolving any security incidents. Where systems have broken down or
individuals have acted improperly, the appropriate action will be taken”.
1.3 As a member of the National Policing Community, member forces must also
ensure that adequate resources are assigned to information security incident
management and investigation.
1.4 The Data Protection Act 2018 (DPA) and the General Data Protection
Regulations 2018 (GDPR) makes notification of data breaches to the
Information Commissioner Office (ICO) mandatory. The DPA and the GDPR
define a personal data breach as:
“A breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed”.
1.4 This SOP defines what a security incident is, how it should be reported and
outlines the different types of outcomes.
Version 3.00
(Publication Scheme) 4
2.3 Information security incidents are those that breach the physical, personal,
procedural or technical controls in place to protect the Confidentiality, Integrity
or Availability of information that is held on any media including paper and
electronic storage devices.
Confidentiality – incidents relating to accidental or intentional leakage of
confidential data, passwords etc. to unauthorised personnel
Integrity – accidental or intentional damage to, or inaccuracies in, data
Availability – accidental or deliberate disruption or absence of
information and information services.
2.5 Information Security Incidents can arise from a multitude of scenarios that can
be immediately obvious and those that can be less obvious especially when
exchanging information or dealing with unusual events. A list of the more
common information security incident types is provided below:
e-mail misuse
ID cards/ keys/ warrants – lost, missing, stolen, not returned
Physical security breaches
Procedural
Unauthorised disclosure
System misuse
Unauthorised access to systems or data
Internet misuse
Unauthorised personnel on premises
Account sharing
Loss or theft of technology assets
Paper documents – loss/theft/missing/found at inappropriate location
Breach or loss of Cryptographic material
Data storage incidents
Version 3.00
(Publication Scheme) 5
Vetting breaches
Removable media loss/theft/unencrypted
Social engineer events
Use of unauthorised equipment
Insecure disposal of media or documents
Loss or theft of uniforms
2.6 Incidents relating to personal data can also be included in the categories
above however some specific examples are:
Fax, e-mail or paper document with personal data being sent to the
incorrect recipient
Unauthorised disclosure of personal information
Loss of unencrypted computer media containing personal data
Finding paper or electronic records in non-police locations
Information lost in transit (case files etc.)
Unauthorised copying and removal of personal data.
Unauthorised changes or deletions of personal data
2.7 An Information Security Incident may also relate to Cyber or ICT and must be
reported directly to the ICT Service Desk. This reporting must be in addition to
or in advance of the report to Information Assurance in order to assure
speedy mitigation and escalation to the ICT teams.
3.2 All Police Officers, Police Staff, Agency Staff and Contractors should also
consider the potential for a breach of information security when dealing with
unusual events and notify the Information has been removed due to its
content being exempt in terms of the Freedom of Information (Scotland)
Act 2002, Section 30, Prejudice to effective conduct of public affairs for
Version 3.00
(Publication Scheme) 6
advice or assistance.
3.3 Line Managers are responsible for ensuring all staff under their supervision
are made aware of and have access to the Information Security Incident
Reporting SOP.
3.5 The Head of Information Management is responsible for ensuring the timely
submission of relevant security reports to the Information Governance Board
and where necessary escalation to the Senior Information Risk Owner
(SIRO).
3.6 Technical Audit & Assurance team (TAA) is responsible for ensuring the
accurate recording, investigation and reporting of all Cyber/ICT incidents.
4.2 Where it is not possible for staff to inform their line management at the time of
the incident the member of staff should e-mail the ISO mailbox directly and
mark the email Urgent
4.3 Line managers should attach a completed Security Incident Reporting Form
(Force Form 081-001).
Version 3.00
(Publication Scheme) 7
5. Incident Management
5.1 On receiving a report to the ISO mailbox, a member of the Information
Assurance Team will be identified as the single point of contact for
coordinating and communicating with the reporting officer.
5.2 The Information Security Manager (ISM) will have overall responsibility for
incident management and risk mitigation.
5.3 The ISM is responsible for ensuring the identification and appropriate
management of incidents in accordance with GovCert and Police Warning,
Advice and Reporting Point (PolWARP) Procedures.
5.4 The TAA Team is responsible for the identification, coordination and
appropriate management of fast time Cyber/ICT incidents and will provide the
ISM regular progress updates.
6.2 The TAA Team will take responsibility for managing the incident and will
allocate the appropriate resources to mitigate the threat.
6.3 The TAA Manager will provide the ISM with an account of the progress and
outcomes of all reported ICT related incidents.
7.2.1 In the event of a large or serious information security incident that is likely to
put Police Scotland or the greater Police community at risk, it will be
necessary to set up a strategic group. When a fast time incident is identified
the senior on duty ICT Manager or ISM will notify the Senior Information Risk
Owner (SIRO) who will be responsible for setting up the strategic group.
Version 3.00
(Publication Scheme) 8
7.2.2 Technology based incidents will be managed through the ICT critical incident
process which may either run in tandem or be integrated as part of the overall
Strategic group.
7.2.3 The group will be responsible for the investigation and mitigating the risk. This
will also include communication and escalations where required:
The strategic group will identify and action any immediate steps necessary
to (a) prevent further information loss and (b) preserve evidence.
Inform the Information Asset Owner (IAO).
Set Gold, Silver and Bronze designations at an appropriate level,
dependant on the risk.
Inform the duty press officer for the preparation of a press release.
Consider the call out of specialist officers.
Notify head of Professional Standards / Anti Corruption Unit as
appropriate and advise any inference of criminality or misconduct.
In consultation with the SIRO and the ISM, consider the timely
dissemination of information to other affected agencies, individuals and
departments.
The ISM in consultation with the Information Asset Owner and ICT will
assess the risks associated with the incident, consider the development of
a recovery plan and submit a risk escalation report to the strategic group
and SIRO.
The Information Manager (Assurance) will assess the incident in terms of
the General Data Protection Regulations (GDPR) and consider if the
breach should be notified to the Information Commissioner’s office.
8. Recording
8.1 A record of all reported incidents will be maintained on the corporate
Information Security Incident Log. This will be maintained by Information
Assurance.
8.2 Where appropriate, risks identified that are above the risk appetite will be
escalated to the corporate risk register by the Head of Information
Management.
8.3 Records of Information Security logs and reports will be retained and weeded
in alignment with the Records Retention SOP.
9. External Reporting
9.1 In compliance with the DPA and GDPR, High Risk Data Loss breaches will be
reported to the Information Commissioner's Office within the deadline 72
hours of being made aware.
Version 3.00
(Publication Scheme) 9
9.2 Quarterly slow time incidents will be shared with the National Policing
Information Risk Management Team.
9.3 Data Loss incidents are reported quarterly to the SPA Audit Committee.
Version 3.00
(Publication Scheme) 10
Appendix ‘A’
Version 3.00
(Publication Scheme) 11
Appendix ‘B’
Policy
Guidance
Version 3.00
(Publication Scheme) 12
Appendix ‘C’
Version 3.00
(Publication Scheme) 13