Roles and Responsibilities
Stream has a dedicated team of employees to act on data security and incident
response. These roles include, but are not limited to, the following:
- Chief Information Technology Security Officer
- Chief Data Privacy Officer
- Chief Security Officer
- Incident Response Team
Scope of Responsibilities
This policy supplements Stream.io's information security policy.
It applies to events and incidents affecting any Stream information
asset or information system. The policy applies to all Stream.io
Stream recognizes the importance of, and is committed to, effective information security
incident management in order to help protect the confidentiality and integrity of its
information assets, availability of its information systems and services, safeguard the
reputation of Stream and fulfil its legal and regulatory obligations.
Compliance with the policy will ensure that:
- Incidents which are detected are reported in a timely manner
- Incidents are properly investigated and handled efficiently and effectively
- Incidents are communicated appropriately and appropriate levels of Stream management are
involved in the response
- Incidents are communicated appropriately to all Stream customers involved
- The impact of an incident is minimized and action is taken to prevent further damage
- Incidents are reviewed to enable improvements to be made to policies and procedures
- Evidence is gathered, recorded and maintained appropriately
- Incidents are recorded and documented
Information systems which are known to be compromised will be isolated from the Stream
network until the incident has been investigated, resolved and risks sufficiently reduced.
- All information security incidents must be reported to email@example.com.
- Responsibilities for the reporting and escalation of security vulnerabilities, events
and incidents should be clearly defined.
- Security events and incidents should be assessed according to the incident
classification scheme provided via this document and, where necessary, escalated
- Incidents involving personal data will be reported to Stream’s Data Protection
- Incidents which involve personal safety, security or require the involvement of law
enforcement will be reported to the Chief Security Officer
- Details of the Information Security Incident Response Plan will be made available via
the information service webpages.
- All information security incidents will be recorded for later analysis.
- Post incident reviews will be carried out in order to identify where improvements in
policies, procedures and information security controls can be made.
- Information security incident procedures will be communicated to all relevant personnel
and tested periodically.
Incident Response Team (IRT)
The IRT refers to the group of people who will be the first responders for information
security incidents and will act as the point of contact for information security incidents.
The IRT consists of a team made up from members of organization with deep knowledge of our
systems, infrastructure, and software. The roles and responsibilities for the IRT are as
- initial response, mitigation and (where appropriate) escalation of information security
- monitoring network traffic to identify compromised or potentially compromised systems
within Stream’s network;
- Receiving internal and external reports on compromised systems;
- Protecting the security and integrity of Stream’s network and its core information
systems and services by blocking network access to/from any compromised machine;
- Informing, liaising with, and supporting local IT staff to ensure that computer security
incidents are dealt with promptly and effectively;
- Coordinating with the appropriate team(s) to ensure that compromised systems are fully
cleaned and patched against known vulnerabilities, or the risk otherwise mitigated,
before being reconnected to the network;
- Maintaining a record of computer security incidents processed by IRT;
- Initial investigation and liaison with the service provider into the type and quantity
of personal data involved in a compromise;
- Appropriate escalation of computer security incidents.
Escalation of Computer Security Incidents
- Some incidents will require escalation above the IRT in order that senior management in
Stream are made aware of, and may respond accordingly, to serious and potentially
serious information security incidents.
- The first point of escalation for the IRT will be the designated Chief Information
Technology Security Officer (CITSO) or in that person’s absence, the CEO. The role of
the CITSO is described below.
- The IRT will evaluate each security incident and will escalate the incident under one of
the following conditions:
- Any incident that causes a loss or impairment of a service
- Any incident that involves loss or exposure of sensitive information
- Any incident where Stream’s resources are used to attack other services or an
- In the case of the loss or exposure of any personal information, the IRT will inform the
Data Protection Officer and the CITSO of the incident.
- In the case of a “most serious incident”, the CITSO will immediately inform the CIO of
the incident and other senior Stream managers as appropriate.
- The conditions under which this escalation will be performed are as follows:
- Any incident which causes a major loss of service
- Any incident which may cause a major reputational risk
- Any incident that is a major loss of personal information
Reporting Security Incidents
- Security incidents can be detected by various sources. All incidents must be reported
either to the IRT team (firstname.lastname@example.org) or to
the CITSO. In the case of a report to the CITSO the report will be passed to the IRT
team for first line handling and logging.
- The incidents are classified for reporting purposes using the classification system
- The current common sources of reports are the IRT team, users or their Computing
Officers, the support helpline and internal monitoring tools.
- The current source of reports to the CITSO is the Data Protection Officer.
- In every case it is important that the incident is properly logged, the escalation
procedure is evaluated and followed and the source of the incident is remediated.
Role of the Chief Information Technology Security Officer
The Chief Information Technology Security Officer, under the guidance of the Chief
Information Officer (CIO), is responsible for:
- The maintenance and communication of the incident response policy and scheme
- Creating, maintaining and communicating the information security incident response
scheme, incident classification scale and other relevant procedures and guidance via the
information security policy
- Receiving reports on information security incidents and breaches of the information
- Appropriate escalation of information security incidents in accordance with the
information security incident management policy
- Reporting incidents involving personal data to the Data Protection Officer
- Maintaining and updating the information security register to reflect recorded
- Writing and presenting appropriate incident reports including recommended remediations
and lessons learnt.
Security Incident Classification Scheme
The more "traditional" security incidents get placed here. Systems that have been compromised
through network service vulnerabilities, insecure passwords or web defacements usually end
up in this category if one of the others is not more appropriate. These systems are often
used to host illegal material, relay further attacks and access other systems, or to
distribute malware. A judgment and distinction is made by the incident handler with systems
that have been compromised through automated malware.
Reports of copyright infringement.
Denial of Service
Attacks aimed at denying legitimate access to a network or service. These range from simply
overwhelming a connection with greater traffic than it has capacity, to traffic especially
crafted to consume CPU and memory resources on the target system.
An enquiry from a user related to the provision of services by IRT.
Query/Enquiries from the police, or other law enforcement agency. This could include a
request to obtain communications data under RIPA Section 22.
An enquiry from a user on a legal or policy issue.
An incident that primarily involves a system being infected with malicious software without
the user's consent. The overwhelming majority of these incidents will naturally be due to
large outbreaks of malware, but they can range from targeted attacks to banking Trojans.
Network Security Query
An enquiry from a user about best practices in network or information security.
Anything that does not fall into one of the other categories.
Incidents involving phishing e-mails being sent to or received from a user. The overwhelming
majority of these are low level unsophisticated phishing attacks designed to capture e-mail
account details for use in advance-fee fraud. More sophisticated attacks often cross into
the malware category.
Count of non-trivial attempts by external systems to scan our network for
Attacks where information or access to systems is obtained through the deception of people.
Since we split phishing from this category, very few incidents are now classified here.
Misuse of our network, not covered by other categories, as defined by our AUP and Security
Unsolicited Bulk Email
Spam sent from our systems.