Data Security and Incident Response

Links

Roles and Responsibilities

Stream has a dedicated team of employees to act on data security and incident response. These roles include, but are not limited to, the following:

  1. Chief Information Technology Security Officer
  2. Chief Data Privacy Officer
  3. Chief Security Officer
  4. Incident Response Team

Scope of Responsibilities

This policy supplements Stream.io's information security policy. It applies to events and incidents affecting any Stream information asset or information system. The policy applies to all Stream.io information systems.

Objective

Stream recognizes the importance of, and is committed to, effective information security incident management in order to help protect the confidentiality and integrity of its information assets, availability of its information systems and services, safeguard the reputation of Stream and fulfil its legal and regulatory obligations.

Compliance with the policy will ensure that:

  1. Incidents which are detected are reported in a timely manner
  2. Incidents are properly investigated and handled efficiently and effectively
  3. Incidents are communicated appropriately and appropriate levels of Stream management are involved in the response
  4. Incidents are communicated appropriately to all Stream customers involved
  5. The impact of an incident is minimized and action is taken to prevent further damage
  6. Incidents are reviewed to enable improvements to be made to policies and procedures
  7. Evidence is gathered, recorded and maintained appropriately
  8. Incidents are recorded and documented

Policy

Information systems which are known to be compromised will be isolated from the Stream network until the incident has been investigated, resolved and risks sufficiently reduced.

  1. All information security incidents must be reported to irt@getstream.io.
  2. Responsibilities for the reporting and escalation of security vulnerabilities, events and incidents should be clearly defined.
  3. Security events and incidents should be assessed according to the incident classification scheme provided via this document and, where necessary, escalated accordingly.
  4. Incidents involving personal data will be reported to Stream’s Data Protection Officer.
  5. Incidents which involve personal safety, security or require the involvement of law enforcement will be reported to the Chief Security Officer
  6. Details of the Information Security Incident Response Plan will be made available via the information service webpages.
  7. All information security incidents will be recorded for later analysis.
  8. Post incident reviews will be carried out in order to identify where improvements in policies, procedures and information security controls can be made.
  9. Information security incident procedures will be communicated to all relevant personnel and tested periodically.

Incident Response Team (IRT)

The IRT refers to the group of people who will be the first responders for information security incidents and will act as the point of contact for information security incidents. The IRT consists of a team made up from members of organization with deep knowledge of our systems, infrastructure, and software. The roles and responsibilities for the IRT are as follows:

  1. initial response, mitigation and (where appropriate) escalation of information security incidents;
  2. monitoring network traffic to identify compromised or potentially compromised systems within Stream’s network;
  3. Receiving internal and external reports on compromised systems;
  4. Protecting the security and integrity of Stream’s network and its core information systems and services by blocking network access to/from any compromised machine;
  5. Informing, liaising with, and supporting local IT staff to ensure that computer security incidents are dealt with promptly and effectively;
  6. Coordinating with the appropriate team(s) to ensure that compromised systems are fully cleaned and patched against known vulnerabilities, or the risk otherwise mitigated, before being reconnected to the network;
  7. Maintaining a record of computer security incidents processed by IRT;
  8. Initial investigation and liaison with the service provider into the type and quantity of personal data involved in a compromise;
  9. Appropriate escalation of computer security incidents.

Escalation of Computer Security Incidents

  1. Some incidents will require escalation above the IRT in order that senior management in Stream are made aware of, and may respond accordingly, to serious and potentially serious information security incidents.
  2. The first point of escalation for the IRT will be the designated Chief Information Technology Security Officer (CITSO) or in that person’s absence, the CEO. The role of the CITSO is described below.
  3. The IRT will evaluate each security incident and will escalate the incident under one of the following conditions:
    1. Any incident that causes a loss or impairment of a service
    2. Any incident that involves loss or exposure of sensitive information
    3. Any incident where Stream’s resources are used to attack other services or an external body
  4. In the case of the loss or exposure of any personal information, the IRT will inform the Data Protection Officer and the CITSO of the incident.

Crisis/Escalation

  1. In the case of a “most serious incident”, the CITSO will immediately inform the CIO of the incident and other senior Stream managers as appropriate.
  2. The conditions under which this escalation will be performed are as follows:
    1. Any incident which causes a major loss of service
    2. Any incident which may cause a major reputational risk
    3. Any incident that is a major loss of personal information

Reporting Security Incidents

  1. Security incidents can be detected by various sources. All incidents must be reported either to the IRT team (irt@getstream.io) or to the CITSO. In the case of a report to the CITSO the report will be passed to the IRT team for first line handling and logging.
  2. The incidents are classified for reporting purposes using the classification system described below.
  3. The current common sources of reports are the IRT team, users or their Computing Officers, the support helpline and internal monitoring tools.
  4. The current source of reports to the CITSO is the Data Protection Officer.
  5. In every case it is important that the incident is properly logged, the escalation procedure is evaluated and followed and the source of the incident is remediated.

Role of the Chief Information Technology Security Officer

The Chief Information Technology Security Officer, under the guidance of the Chief Information Officer (CIO), is responsible for:

  1. The maintenance and communication of the incident response policy and scheme
  2. Creating, maintaining and communicating the information security incident response scheme, incident classification scale and other relevant procedures and guidance via the information security policy
  3. Receiving reports on information security incidents and breaches of the information security policy
  4. Appropriate escalation of information security incidents in accordance with the information security incident management policy
  5. Reporting incidents involving personal data to the Data Protection Officer
  6. Maintaining and updating the information security register to reflect recorded incidents
  7. Writing and presenting appropriate incident reports including recommended remediations and lessons learnt.

Security Incident Classification Scheme

Compromise

The more "traditional" security incidents get placed here. Systems that have been compromised through network service vulnerabilities, insecure passwords or web defacements usually end up in this category if one of the others is not more appropriate. These systems are often used to host illegal material, relay further attacks and access other systems, or to distribute malware. A judgment and distinction is made by the incident handler with systems that have been compromised through automated malware.

Copyright

Reports of copyright infringement.

Denial of Service

Attacks aimed at denying legitimate access to a network or service. These range from simply overwhelming a connection with greater traffic than it has capacity, to traffic especially crafted to consume CPU and memory resources on the target system.

General Query

An enquiry from a user related to the provision of services by IRT.

LEA

Query/Enquiries from the police, or other law enforcement agency. This could include a request to obtain communications data under RIPA Section 22.

Legal/Policy Query

An enquiry from a user on a legal or policy issue.

Malware

An incident that primarily involves a system being infected with malicious software without the user's consent. The overwhelming majority of these incidents will naturally be due to large outbreaks of malware, but they can range from targeted attacks to banking Trojans.

Network Security Query

An enquiry from a user about best practices in network or information security.

Other

Anything that does not fall into one of the other categories.

Phishing

Incidents involving phishing e-mails being sent to or received from a user. The overwhelming majority of these are low level unsophisticated phishing attacks designed to capture e-mail account details for use in advance-fee fraud. More sophisticated attacks often cross into the malware category.

Scanning

Count of non-trivial attempts by external systems to scan our network for vulnerabilities.

Social Engineering

Attacks where information or access to systems is obtained through the deception of people. Since we split phishing from this category, very few incidents are now classified here.

Unauthorised Use

Misuse of our network, not covered by other categories, as defined by our AUP and Security Policy.

Unsolicited Bulk Email

Spam sent from our systems.