Information Security Incident Reporting

Standard Operating Procedure

Notice:

This document has been made available through the

Police Service of Scotland Freedom of Information
Publication Scheme. It should not be utilised as guidance
or instruction by any police officer or employee as it may
have been redacted due to legal exemptions

Owning Department Professionalism & Assurance

Version Number 3.00 (Publication Scheme)

Date Published 23/09/2019

Version 3.00
(Publication Scheme)
 Compliance Record

Equality Impact Assessment: Date Completed / Reviewed: 23/05/2018

Information Management Compliant: Yes
Health and Safety Compliant: Yes
Publication Scheme Compliant: No

Version Control Table

Version History of Amendments Approval Date

1.00 Initial Approved Version 28/11/2013
1.01 Insertion of Sections 5, 6, 7, 8, 9 and 10. 18/10/2013
Section 3.4 “and observations under relevant codes
1.02 of connection” inserted. 28/11/2013
Section 10.3 inserted.
Cyclical review with update to new template. Name of
SOP changed from Security Incident Reporting and
Management to Information Security Incident
2.00 23/05/2018
Reporting.
General review and addition of data loss reporting
process for GDPR
Minor changes to hyperlink in paragraph 1.4 and
3.00 23/09/2019
Appendix ‘A’

Version 3.00
(Publication Scheme) 2
 Contents
1. Purpose

2. Definition of Security Incident

3. Roles and Responsibilities

4. How to report a Security Incident

5. Incident Management

6. Cyber / ICT Incident Management

7. Fast Time Incident Management

8. Recording

9. External Reporting

Appendices

Appendix ‘A’ List of Associated Legislation

Appendix ‘B’ List of Associated Reference Documents
Appendix ‘C’ List of Associated Forms

Version 3.00
(Publication Scheme) 3
1. Purpose
1.1 This Standard Operating Procedure (SOP) supports the Police Service of
Scotland, hereafter referred to as Police Scotland:
 Information Security Policy.
 Data Protection Policy

1.2 HMG Security Policy Framework (SPF) requires Police Scotland to put in
place effective systems for detecting, reporting and responding to information
security incidents:
“Policies and processes will be in place for reporting, managing and
resolving any security incidents. Where systems have broken down or
individuals have acted improperly, the appropriate action will be taken”.

1.3 As a member of the National Policing Community, member forces must also
ensure that adequate resources are assigned to information security incident
management and investigation.

1.4 The Data Protection Act 2018 (DPA) and the General Data Protection
Regulations 2018 (GDPR) makes notification of data breaches to the
Information Commissioner Office (ICO) mandatory. The DPA and the GDPR
define a personal data breach as:
“A breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed”.

1.4 This SOP defines what a security incident is, how it should be reported and
outlines the different types of outcomes.

2. Definition of Information Security Incident

2.1 An information security incident is defined as any event that has, or could
lead to a breach of policy, security, confidentiality, legislation or regulation
that could result in the loss or damage to Police Scotland information assets.

2.2 Incidents fall into the following categories:

 Slow Time incidents: involving the actual loss, (or near miss), of
personal or classified information assessed to present limited harm to
individuals or the force, are local in nature, and have no characteristics
that require the greater police community to be immediately notified.
 Fast Time incidents: involving the actual loss of personal or sensitive
police information that could cause significant harm to individuals or
compromise information systems or networks.
 Data Loss incidents: a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise processed.

Version 3.00
(Publication Scheme) 4
2.3 Information security incidents are those that breach the physical, personal,
procedural or technical controls in place to protect the Confidentiality, Integrity
or Availability of information that is held on any media including paper and
electronic storage devices.
 Confidentiality – incidents relating to accidental or intentional leakage of
confidential data, passwords etc. to unauthorised personnel
 Integrity – accidental or intentional damage to, or inaccuracies in, data
 Availability – accidental or deliberate disruption or absence of
information and information services.

2.4 An Information Security Incident may have a range of adverse impacts or

cause harm in the following areas:
 Disruption of activities – personal or organisational
 Threat to personal safety
 Reputational damage
 Legal obligation
 Risk to the rights and freedoms of individuals
 Financial loss

2.5 Information Security Incidents can arise from a multitude of scenarios that can
be immediately obvious and those that can be less obvious especially when
exchanging information or dealing with unusual events. A list of the more
common information security incident types is provided below:
 e-mail misuse
 ID cards/ keys/ warrants – lost, missing, stolen, not returned
 Physical security breaches
 Procedural
 Unauthorised disclosure
 System misuse
 Unauthorised access to systems or data
 Internet misuse
 Unauthorised personnel on premises
 Account sharing
 Loss or theft of technology assets
 Paper documents – loss/theft/missing/found at inappropriate location
 Breach or loss of Cryptographic material
 Data storage incidents

Version 3.00
(Publication Scheme) 5
  Vetting breaches
 Removable media loss/theft/unencrypted
 Social engineer events
 Use of unauthorised equipment
 Insecure disposal of media or documents
 Loss or theft of uniforms

2.6 Incidents relating to personal data can also be included in the categories
above however some specific examples are:
 Fax, e-mail or paper document with personal data being sent to the
incorrect recipient
 Unauthorised disclosure of personal information
 Loss of unencrypted computer media containing personal data
 Finding paper or electronic records in non-police locations
 Information lost in transit (case files etc.)
 Unauthorised copying and removal of personal data.
 Unauthorised changes or deletions of personal data

2.7 An Information Security Incident may also relate to Cyber or ICT and must be
reported directly to the ICT Service Desk. This reporting must be in addition to
or in advance of the report to Information Assurance in order to assure
speedy mitigation and escalation to the ICT teams.

2.8 Examples of Cyber/ICT related incidents are:

 Unplanned outage
 Malicious software attack
 Use of unauthorised software
 Loss or theft of technology assets
 Unauthorised equipment

3. Roles & Responsibilities

3.1 All Police Officers, Police Staff, Agency Staff and Contractors are responsible
for the security of Police Scotland information and for reporting any incidents
immediately as per section 4 of this SOP.

3.2 All Police Officers, Police Staff, Agency Staff and Contractors should also
consider the potential for a breach of information security when dealing with
unusual events and notify the Information has been removed due to its
content being exempt in terms of the Freedom of Information (Scotland)
Act 2002, Section 30, Prejudice to effective conduct of public affairs for

Version 3.00
(Publication Scheme) 6
 advice or assistance.

3.3 Line Managers are responsible for ensuring all staff under their supervision
are made aware of and have access to the Information Security Incident
Reporting SOP.

3.4 Information Security Manager is responsible for ensuring the accurate

recording, investigation and reporting of all Police Scotland information
security incidents. This includes the formulation of management reports for
the Information Governance Board, Audit & Risk Committee, the Information
Commissioners Office and the National Policing Information Risk
Management Team.

3.5 The Head of Information Management is responsible for ensuring the timely
submission of relevant security reports to the Information Governance Board
and where necessary escalation to the Senior Information Risk Owner
(SIRO).

3.6 Technical Audit & Assurance team (TAA) is responsible for ensuring the
accurate recording, investigation and reporting of all Cyber/ICT incidents.

3.7 Professional Standards Department (PSD) is responsible for reporting all

information security incidents and data loss breaches identified during their
activities via email to Information has been removed due to its content
being exempt in terms of the Freedom of Information (Scotland) Act
2002, Section 30, Prejudice to effective conduct of public affairs.

4. How to Report a Security Incident

4.1 In the event of an information security incident or potential incident, staff must
immediately inform their line manager who will separately provide e-mail
notification to the Information has been removed due to its content being
exempt in terms of the Freedom of Information (Scotland) Act 2002,
Section 30, Prejudice to effective conduct of public affairs mailbox.

4.2 Where it is not possible for staff to inform their line management at the time of
the incident the member of staff should e-mail the ISO mailbox directly and
mark the email Urgent

4.3 Line managers should attach a completed Security Incident Reporting Form
(Force Form 081-001).

4.4 Cyber/ICT related information security incidents must be reported

immediately to the ICT Service desk on Information has been removed due
to its content being exempt in terms of the Freedom of Information
(Scotland) Act 2002, Section 30, Prejudice to effective conduct of public
affairs.

Version 3.00
(Publication Scheme) 7
5. Incident Management
5.1 On receiving a report to the ISO mailbox, a member of the Information
Assurance Team will be identified as the single point of contact for
coordinating and communicating with the reporting officer.

5.2 The Information Security Manager (ISM) will have overall responsibility for
incident management and risk mitigation.

5.3 The ISM is responsible for ensuring the identification and appropriate
management of incidents in accordance with GovCert and Police Warning,
Advice and Reporting Point (PolWARP) Procedures.

5.4 The TAA Team is responsible for the identification, coordination and
appropriate management of fast time Cyber/ICT incidents and will provide the
ISM regular progress updates.

6. Cyber / ICT Incident Management

6.1 The ICT Service desk will prioritise and categorise incidents according to
impact and will escalate to the TAA team.

6.2 The TAA Team will take responsibility for managing the incident and will
allocate the appropriate resources to mitigate the threat.

6.3 The TAA Manager will provide the ISM with an account of the progress and
outcomes of all reported ICT related incidents.

7. Fast Time Incident Management

7.1 The line manager receiving a report in accordance with section 4 must:
 Identify and action any immediate steps necessary to (a) prevent further
information loss and (b) preserve evidence
 Ensure that an email report containing a completed form 081-001 has
been sent to the ISO mailbox
 Liaise with the appointed IA SPOC, and ISM.
 Liaise with TAA for Cyber/ICT related incidents.

7.2 Serious Information Security Incident Management

7.2.1 In the event of a large or serious information security incident that is likely to
put Police Scotland or the greater Police community at risk, it will be
necessary to set up a strategic group. When a fast time incident is identified
the senior on duty ICT Manager or ISM will notify the Senior Information Risk
Owner (SIRO) who will be responsible for setting up the strategic group.

Version 3.00
(Publication Scheme) 8
7.2.2 Technology based incidents will be managed through the ICT critical incident
process which may either run in tandem or be integrated as part of the overall
Strategic group.

7.2.3 The group will be responsible for the investigation and mitigating the risk. This
will also include communication and escalations where required:
 The strategic group will identify and action any immediate steps necessary
to (a) prevent further information loss and (b) preserve evidence.
 Inform the Information Asset Owner (IAO).
 Set Gold, Silver and Bronze designations at an appropriate level,
dependant on the risk.
 Inform the duty press officer for the preparation of a press release.
 Consider the call out of specialist officers.
 Notify head of Professional Standards / Anti Corruption Unit as
appropriate and advise any inference of criminality or misconduct.
 In consultation with the SIRO and the ISM, consider the timely
dissemination of information to other affected agencies, individuals and
departments.
 The ISM in consultation with the Information Asset Owner and ICT will
assess the risks associated with the incident, consider the development of
a recovery plan and submit a risk escalation report to the strategic group
and SIRO.
 The Information Manager (Assurance) will assess the incident in terms of
the General Data Protection Regulations (GDPR) and consider if the
breach should be notified to the Information Commissioner’s office.

8. Recording
8.1 A record of all reported incidents will be maintained on the corporate
Information Security Incident Log. This will be maintained by Information
Assurance.

8.2 Where appropriate, risks identified that are above the risk appetite will be
escalated to the corporate risk register by the Head of Information
Management.

8.3 Records of Information Security logs and reports will be retained and weeded
in alignment with the Records Retention SOP.

9. External Reporting
9.1 In compliance with the DPA and GDPR, High Risk Data Loss breaches will be
reported to the Information Commissioner's Office within the deadline 72
hours of being made aware.

Version 3.00
(Publication Scheme) 9
9.2 Quarterly slow time incidents will be shared with the National Policing
Information Risk Management Team.

9.3 Data Loss incidents are reported quarterly to the SPA Audit Committee.

Version 3.00
(Publication Scheme) 10
 Appendix ‘A’

List of Associated Legislation

 Data Protection Act 2018

 The General Data Protection Regulations 2018

Version 3.00
(Publication Scheme) 11
 Appendix ‘B’

List of Associated Reference Documents

Policy

 Information Security Policy

 Data Protection Policy

Standard Operating Procedures

 Information Security SOP

 Data Protection SOP

Guidance

 HMG Security Framework

Version 3.00
(Publication Scheme) 12
 Appendix ‘C’

List of Associated Forms

 Security Incident Reporting Form (Force Form 081-001)

Version 3.00
(Publication Scheme) 13