OBrien Martech Consulting Cyber Incident Response Plan

1. Purpose. The purpose of this cyber incident response plan (“IRP”) is to provide a structured and systematic incident response process for all information security incidents (as defined in Section 4, Definitions) that affect any of OBrien Martech Consulting’ information technology (“IT”) systems, network, or data, including OBrien Martech Consulting’ data held or IT services provided by third-party vendors or other service providers.

1.1 Specifically, OBrien Martech Consulting intends for this IRP to:

(a) Define OBrien Martech Consulting' cyber incident response process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable incident response process.

(b) Assist OBrien Martech Consulting and any applicable third parties in quickly and efficiently responding to and recovering from different levels of information security incidents.

(c) Mitigate or minimize the effects of any information security incident on OBrien Martech Consulting, clients, employees, or others.

(d) Help OBrien Martech Consulting consistently document the actions it takes in response to information security incidents.

(e) Reduce overall risk exposure for OBrien Martech Consulting.

(d) Engage stakeholders and drive appropriate participation in resolving information security incidents while fostering continuous improvement in OBrien Martech Consulting' information security program and incident response process.

1.2 OBrien Martech Consulting developed and maintains this IRP as may be required by applicable laws and regulations.

2. Scope. This IRP applies to all OBrien Martech Consulting business groups, divisions, and subsidiaries; their employees, contractors, officers, and directors; and OBrien Martech Consulting' IT systems, network, data, and any computer systems or networks connected to OBrien Martech Consulting' network.

2.1 Other Plans and Policies. OBrien Martech Consulting may, from time to time, approve and make available more detailed or location or work group-specific plans, policies, procedures, standards, or processes to address specific information security issues or incident response procedures. Those additional plans, policies, procedures, standards, and processes are extensions to this IRP. You may find approved information security policies and other resources here.

3. Accountability. OBrien Martech Consulting has designated officer Mani O’Brien to implement and maintain this IRP (the “information security coordinator”).

3.1 Information Security Coordinator Duties. Among other information security duties, as defined in OBrien Martech Consulting' written information security program (“WISP”) available here, the information security coordinator shall be responsible for:

(a) Implementing this IRP.

(b) Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents (see Section 5, Incident Response Team).

(c) Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents (see Section 6, Incident Response Procedures).

(d) Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures (see Section 6.7, Post-Incident Review).

(e) Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of this IRP (see Section 7, Plan Training and Testing).

(f) Reviewing this IRP at least annually, or whenever there is a material change in OBrien Martech Consulting' business practices that may reasonably affect its cyber incident response procedures (see Section 8, Plan Review).

3.2 Enforcement. Violations of or actions contrary to this IRP may result in disciplinary action, in accordance with OBrien Martech Consulting' information security policies and procedures and human resources policies.

4. Definitions. The terms defined below apply throughout this IRP:

4.1 “Confidential Information.” Confidential information means information, as defined in OBrien Martech Consulting' WISP available at WISP, that may cause harm to OBrien Martech Consulting or its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available.

4.2 “Personal Information.” Personal information means individually identifiable information, as defined in OBrien Martech Consulting' WISP available at WISP, that OBrien Martech Consulting' owns, licenses, or maintains and that is from or about an individual including, but not limited to (a) first and last name; (b) home or other physical address, including street name and name of city or town; (c) email address or other online information, such as a user name and password; (d) telephone number; (e) government-issued identification or other number; (f) financial or payment card account number; (g) date of birth; (h) health information, including information [regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by OBrien Martech Consulting; and (i) any information that is combined with any of (a) through (h) above.

4.3 “Information Security Incident.” Information security incident means an actual or reasonably suspected (a) loss or theft of confidential or personal information; (b) unauthorized use, disclosure, acquisition of or access to, or other unauthorized processing of confidential or personal information that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information; or (c) unauthorized access to or use of, inability to access, loss or theft of, or malicious infection of OBrien Martech Consulting' IT systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information or OBrien Martech Consulting' operating environment or services.

5. Incident Response Team. The incident response team (“IRT”) is a predetermined group of OBrien Martech Consulting employees and resources responsible for responding to information security incidents.

5.1 Role. The IRT provides timely, organized, informed, and effective response to information security incidents to (a) avoid loss of or damage to OBrien Martech Consulting' IT systems, network, and data; (b) minimize economic, reputational, or other harms to OBrien Martech Consulting and its clients, employees, and partners; and (c) manage litigation, enforcement, and other risks.

5.2 Authority. Through this IRP, OBrien Martech Consulting authorizes the IRT to take reasonable and appropriate steps necessary to mitigate and resolve information security incidents, in accordance with the escalation and notification procedures defined in this IRP.

5.3 Responsibilities. The IRT is responsible for:

(a) Addressing information security incidents in a timely manner, according to this IRP.

(b) Managing internal and external communications regarding information security incidents.

(d) Reprioritizing other work responsibilities to permit a timely response to information security incidents on notification.

5.4 IRT Roster. The IRT consists of a core team, led by the information security coordinator, with representatives from key OBrien Martech Consulting groups and stakeholders. The current IRT roster includes the following individuals:

Managing Partner, Mani O’Brien at hello@maniobrien.co

(a) Sub-Teams and Additional Resources. The information security coordinator assigns and coordinates the IRT for any specific information security incident according to incident characteristics and OBrien Martech Consulting needs. The information security coordinator may:

(i) Identify and maintain IRT sub-teams to address specific information security incidents, or categories of information security incidents.

(ii) Call on external individuals, including vendor, service provider, or other resources, to participate on specific-event IRTs, as necessary.

6. Incident Response Procedures. OBrien Martech Consulting shall develop, maintain, and follow incident response procedures as defined in this Section 6 to respond to and document identified information security incidents.

OBrien Martech Consulting recognizes that following initial escalation, the information security incident response process is often iterative, and the steps defined in Sections 6.3, Investigation and Analysis; 6.4, Containment, Remediation, and Recovery; 6.5, Evidence Preservation; and 6.6, Communications and Notification may overlap or the IRT may revisit prior steps to respond appropriately to a specific information security incident.

OBrien Martech Consulting may, from time to time, approve and make available more specific procedures for certain types of information security incidents. Those additional procedures and checklists are extensions to this IRP. You may find approved information security policies and other resources here.

6.1 Detection and Discovery. OBrien Martech Consulting shall develop, implement, and maintain procedures to detect, discover, and assess potential information security incidents through automated means and individual reports.

(a) Automated Detection. OBrien Martech Consulting shall develop, implement, and maintain automated detection means and other technical safeguards, as described in OBrien Martech Consulting’ WISP available here.

(b) Reports from Employees or Other Internal Sources. Employees, or others authorized to access OBrien Martech Consulting’ IT systems, network, or data, shall immediately report any actual or suspected information security incident to Mani O’Brien. Individuals should report any information security incident they discover or suspect immediately and must not engage in their own investigation or other activities unless authorized.

(c) Reports from External Sources. External sources who claim to have information regarding an actual or alleged information security incident should be directed to Mani O’Brien. Employees who receive emails or other communications from external sources regarding information security incidents that may affect OBrien Martech Consulting or others, security vulnerabilities, or related issues shall immediately report those communications to Mani O’Brien and shall not interact with the source unless authorized.

(d) Assessing Potential Incidents. OBrien Martech Consulting shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. OBrien Martech Consulting shall document each identified information security incident.

6.2 Escalation. Following identification of an information security incident, the information security coordinator, or a designate, shall perform an initial risk-based assessment and determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to OBrien Martech Consulting and its clients, employees, or others.

Based on the initial assessment, the information security coordinator, or a designate, shall:

(a) IRT Activation. Notify and activate the IRT, or a sub-team, including any necessary external resources (see Section 5.4, IRT Roster).

(b) IRT Expectations. Set expectations for IRT member replay and engagement.

(c) Initial Notifications. Notify (if necessary) organizational leadership and any applicable business partners or service providers, OBrien Martech Consulting' cyber insurance carrier, and law enforcement or other authorities (see Section 6.6, Communications and Notifications).

6.3 Investigation and Analysis. On activation, the IRT shall collaborate to investigate each identified information security incident, analyze its affects, and formulate an appropriate response plan to contain, remediate, and recover from the incident.

The IRT shall document its investigation and analysis for each identified information security incident.

6.4 Containment, Remediation, and Recovery. Next, the IRT shall direct execution of the response plan it formulates according to its incident investigation and analysis to contain, remediate, and recover from each identified information security incident, using appropriate internal and external resources (see Section 6.3, Investigation and Analysis).

The IRT shall document its response plans and the activities completed for each identified information security incident.

6.5 Evidence Preservation. The IRT shall direct appropriate internal or external resources to capture and preserve evidence related to each identified information security incident during investigation, analysis, and response activities (see Sections 6.3, Investigation and Analysis and 6.4, Containment, Remediation, and Recovery). The IRT shall seek counsel’s advice, as needed, to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.

6.6 Communications and Notifications. For each identified information security incident, the IRT shall determine and direct appropriate internal and external communications and any required notifications. Only the IRT may authorize information security incident-related communications or notifications. The IRT shall seek counsel’s advice, as needed, to review communications and notifications targets, content, and protocols.

(a) Internal Communications. The IRT shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.

(i) Organizational Leadership. The IRT shall alert organizational leadership to the incident and explain its potential impact on OBrien Martech Consulting, its [customers/clients], employees, and others as details become available.

(ii) General Awareness and Resources. As appropriate, the IRT shall explain the incident to OBrien Martech Consulting' employees and other stakeholders and provide them with resources to appropriately direct questions from clients, media, or others.

(b) External Communications. The IRT shall prepare and distribute any external communications it deems appropriate to the characteristics and circumstances of each identified information security incident.

(i) Public Statements. If OBrien Martech Consulting determines that external statements are necessary, the IRT shall provide consistent, reliable information to the media and public regarding the incident using OBrien Martech Consulting' website, press releases, or other means.

(ii) Law Enforcement. The IRT shall report criminal activity or threats to applicable authorities, as OBrien Martech Consulting deems appropriate.

(c) Notifications. While the IRT may choose to authorize discretionary communications, certain laws, regulations, and contractual commitments may require OBrien Martech Consulting to notify various parties of some information security incidents. If applicable to a specific information security incident, as required, the IRT shall:

(i) Authorities. Notify applicable regulators, law enforcement, or other authorities.

(ii) Affected Individuals. If an applicable breach of personal information occurs, prepare and distribute notifications to affected individuals.

(iii) Cyber Insurance Carrier. Notify OBrien Martech Consulting' cyber insurance carrier according to the terms and conditions of its current policy, including filing a claim, if appropriate.

(iv) Others. Notify clients or business partners according to current agreements.

6.7 Post-Incident Review. At a time reasonably within 10 days each identified information security incident, the information security coordinator, or a designate, shall reconvene the IRT, others who participated in response to the incident, and affected work group representatives, as appropriate, as a post-incident review team to assess the incident and OBrien Martech Consulting' response.

(a) Review Considerations. The post-incident review team shall consider OBrien Martech Consulting' effectiveness in detecting and responding to the incident and identify any gaps or opportunities for improvement. The post-incident review team shall also seek to identify one or more root causes for the incident and, according to risk, shall recommend appropriate actions to minimize the risks of recurrence.

(b) Report. The post-incident review team shall document its findings in a sufficiently detailed report.

(c) Follow-Up Actions. The information security coordinator shall monitor and coordinate completion of any follow-up actions identified by the post-incident review team, including communicating its recommendations to and seeking necessary authorization or support from OBrien Martech Consulting leadership.

7. Plan Training and Testing.

7.1 Training. The information security coordinator shall develop, maintain, and deliver training regarding this IRP that periodically:

(a) Informs all employees, and others who have access to OBrien Martech Consulting' IT systems, network, or data, about the IRP and how to recognize and report potential information security incidents.

(b) Educates IRT members on their duties and expectations for responding to information security incidents.

The information security coordinator may choose to include training on this IRP in other information security training activities, as defined in OBrien Martech Consulting’ WISP available at WISP.

7.2 Testing. The information security coordinator shall coordinate exercises to test this IRP periodically. The information security coordinator shall document test results, lessons learned, and feedback and address them in plan reviews (see Section 8, Plan Review).

8. Plan Review. OBrien Martech Consulting will review this IRP at least annually, or whenever there is a material change in OBrien Martech Consulting' business practices that may reasonably affect its cyber incident response procedures. Plan reviews will also include feedback collected from post-incident reviews and training and testing exercises. The information security coordinator must approve any changes to this IRP and is responsible for communicating changes to affected parties.

9. Effective Date. This IRP is effective as of Jan 1, 2022.

9.1 Revision History.

(a) Original publication: Jan 1, 2022.