Cyber Incident Response Plan (IRP)

1. Purpose. The purpose of this cyber incident response plan (“IRP”) is to provide a structured and systematic incident response process for all information security incidents (as defined in Section 4, Definitions) that affect any of Digital Dames’ information technology (“IT”) systems, network, or data, including Digital Dames’ data held or IT services provided by third-party vendors or other service providers.

• 1.1 Specifically, Digital Dames intends for this IRP to:
  1. Define Digital Dames’ cyber incident response process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable incident response process.
  2. Assist Digital Dames and any applicable third parties in quickly and efficiently responding to and recovering from different levels of information security incidents.
  3. Mitigate or minimize the effects of any information security incident on Digital Dames, clients, employees, or others.
  4. Help Digital Dames consistently document the actions it takes in response to information security incidents.
  5. Reduce overall risk exposure for Digital Dames.
  6. Engage stakeholders and drive appropriate participation in resolving information security incidents while fostering continuous improvement in Digital Dames’ information security program and incident response process.
• 1.2 Digital Dames developed and maintains this IRP as may be required by applicable laws and regulations.

2. Scope. This IRP applies to all Digital Dames business groups, divisions, and subsidiaries; their employees, contractors, officers, and directors; and Digital Dames’ IT systems, network, data, and any computer systems or networks connected to Digital Dames’ network.

• 2.1 Other Plans and Policies. Digital Dames may, from time to time, approve and make available more detailed or location or work group-specific plans, policies, procedures, standards, or processes to address specific information security issues or incident response procedures. Those additional plans, policies, procedures, standards, and processes are extensions to this IRP. You may find approved information security policies and other resources here.

3. Accountability. Digital Dames has designated CTO/Jaclyn Hawtin to implement and maintain this IRP (the “information security coordinator”).

• 3.1 Information Security Coordinator Duties. Among other information security duties, as defined in Digital Dames’ written information security program (“WISP”) available here, the information security coordinator shall be responsible for:
  1. Implementing this IRP.
  2. Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents (see Section 5, Incident Response Team).
  3. Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents (see Section 6, Incident Response Procedures).
  4. Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures (see Section 6.7, Post-Incident Review).
  5. Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of this IRP (see Section 7, Plan Training and Testing).
  6. Reviewing this IRP at least annually, or whenever there is a material change in Digital Dames’ business practices that may reasonably affect its cyber incident response procedures (see Section 8, Plan Review).
• 3.2 Enforcement. Violations of or actions contrary to this IRP may result in disciplinary action, in accordance with Digital Dames’ information security policies and procedures and human resources policies.

4. Definitions. The terms defined below apply throughout this IRP:

• 4.1 “Confidential Information.” Confidential information means information, as defined in Digital Dames’ WISP available at WISP, that may cause harm to Digital Dames or its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available.
• 4.2 “Personal Information.” Personal information means individually identifiable information, as defined in Digital Dames’ WISP available at WISP, that Digital Dames’ owns, licenses, or maintains and that is from or about an individual including, but not limited to
  1. first and last name;
  2. home or other physical address, including street name and name of city or town;
  3. email address or other online information, such as a user name and password;
  4. telephone number;
  5. government-issued identification or other number;
  6. financial or payment card account number;
  7. date of birth;
  8. health information, including information [regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by Digital Dames; and
  9. any information that is combined with any of (a) through (h) above.
• 4.3 “Information Security Incident.” Information security incident means an actual or reasonably suspected
  1. loss or theft of confidential or personal information;
  2. unauthorized use, disclosure, acquisition of or access to, or other unauthorized processing of confidential or personal information that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information; or
  3. unauthorized access to or use of, inability to access, loss or theft of, or malicious infection of Digital Dames’ IT systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information or Digital Dames’ operating environment or services.

5. Incident Response Team. The incident response team (“IRT”) is a predetermined group of Digital Dames employees and resources responsible for responding to information security incidents.

• 5.1 Role. The IRT provides timely, organized, informed, and effective response to information security incidents to:
  1. avoid loss of or damage to Digital Dames’ IT systems, network, and data;
  2. minimize economic, reputational, or other harms to Digital Dames and its clients, employees, and partners; and
  3. manage litigation, enforcement, and other risks.
• 5.2 Authority. Through this IRP, Digital Dames authorizes the IRT to take reasonable and appropriate steps necessary to mitigate and resolve information security incidents, in accordance with the escalation and notification procedures defined in this IRP.
• 5.3 Responsibilities. The IRT is responsible for:
  1. Addressing information security incidents in a timely manner, according to this IRP.
  2. Managing internal and external communications regarding information security incidents.
  3. Reporting its findings to management and to applicable authorities, as appropriate.
  4. Reprioritizing other work responsibilities to permit a timely response to information security incidents on notification.
• 5.4 IRT Roster. The IRT consists of a core team, led by the information security coordinator, with representatives from key Digital Dames groups and stakeholders. The current IRT roster includes the following individuals:
  Managing Partner, Jaclyn Hawtin, jaclyn at digitaldames.io.
  1. Sub-Teams and Additional Resources. The information security coordinator assigns and coordinates the IRT for any specific information security incident according to incident characteristics and Digital Dames needs. The information security coordinator may:
     1. Identify and maintain IRT sub-teams to address specific information security incidents, or categories of information security incidents.
     2. Call on external individuals, including vendor, service provider, or other resources, to participate on specific-event IRTs, as necessary.

6. Incident Response Procedures. Digital Dames shall develop, maintain, and follow incident response procedures as defined in this Section 6 to respond to and document identified information security incidents.
Digital Dames recognizes that following initial escalation, the information security incident response process is often iterative, and the steps defined in Sections 6.3, Investigation and Analysis; 6.4, Containment, Remediation, and Recovery; 6.5, Evidence Preservation; and 6.6, Communications and Notification may overlap or the IRT may revisit prior steps to respond appropriately to a specific information security incident.
Digital Dames may, from time to time, approve and make available more specific procedures for certain types of information security incidents. Those additional procedures and checklists are extensions to this IRP. You may find approved information security policies and other resources at WISP.

• 6.1 Detection and Discovery. Digital Dames shall develop, implement, and maintain procedures to detect, discover, and assess potential information security incidents through automated means and individual reports.
  1. Automated Detection. Digital Dames shall develop, implement, and maintain automated detection means and other technical safeguards, as described in Digital Dames’ WISP available at WISP.
  2. Reports from Employees or Other Internal Sources. Employees, or others authorized to access Digital Dames’ IT systems, network, or data, shall immediately report any actual or suspected information security incident to Jaclyn Hawtin. Individuals should report any information security incident they discover or suspect immediately and must not engage in their own investigation or other activities unless authorized.
  3. Reports from External Sources. External sources who claim to have information regarding an actual or alleged information security incident should be directed to Jaclyn Hawtin. Employees who receive emails or other communications from external sources regarding information security incidents that may affect Digital Dames or others, security vulnerabilities, or related issues shall immediately report those communications to Jaclyn Hawtin and shall not interact with the source unless authorized.
  4. Assessing Potential Incidents. Digital Dames shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. Digital Dames shall document each identified information security incident.
• 6.2 Escalation. Following identification of an information security incident, the information security coordinator, or a designate, shall perform an initial risk-based assessment and determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to Digital Dames and its clients, employees, or others.
  Based on the initial assessment, the information security coordinator, or a designate, shall:
  1. IRT Activation. Notify and activate the IRT, or a sub-team, including any necessary external resources (see Section 5.4, IRT Roster).
  2. IRT Expectations. Set expectations for IRT member replay and engagement.
  3. Initial Notifications. Notify (if necessary) organizational leadership and any applicable business partners or service providers, Digital Dames’ cyber insurance carrier, and law enforcement or other authorities (see Section 6.6, Communications and Notifications).
• 6.3 Investigation and Analysis. On activation, the IRT shall collaborate to investigate each identified information security incident, analyze its affects, and formulate an appropriate response plan to contain, remediate, and recover from the incident.
  The IRT shall document its investigation and analysis for each identified information security incident.
• 6.4 Containment, Remediation, and Recovery. Next, the IRT shall direct execution of the response plan it formulates according to its incident investigation and analysis to contain, remediate, and recover from each identified information security incident, using appropriate internal and external resources (see Section 6.3, Investigation and Analysis).
  The IRT shall document its response plans and the activities completed for each identified information security incident.
• 6.5 Evidence Preservation. The IRT shall direct appropriate internal or external resources to capture and preserve evidence related to each identified information security incident during investigation, analysis, and response activities (see Sections 6.3, Investigation and Analysis and 6.4, Containment, Remediation, and Recovery). The IRT shall seek counsel’s advice, as needed, to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.
• 6.6 Communications and Notifications. For each identified information security incident, the IRT shall determine and direct appropriate internal and external communications and any required notifications. Only the IRT may authorize information security incident-related communications or notifications. The IRT shall seek counsel’s advice, as needed, to review communications and notifications targets, content, and protocols.
  1. Internal Communications. The IRT shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
     1. Organizational Leadership. The IRT shall alert organizational leadership to the incident and explain its potential impact on Digital Dames, its [customers/clients], employees, and others as details become available.
     2. General Awareness and Resources. As appropriate, the IRT shall explain the incident to Digital Dames’ employees and other stakeholders and provide them with resources to appropriately direct questions from clients, media, or others.
  2. External Communications. The IRT shall prepare and distribute any external communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
     1. Public Statements. If Digital Dames determines that external statements are necessary, the IRT shall provide consistent, reliable information to the media and public regarding the incident using Digital Dames’ website, press releases, or other means.
     2. Law Enforcement. The IRT shall report criminal activity or threats to applicable authorities, as Digital Dames deems appropriate.
  3. Notifications. While the IRT may choose to authorize discretionary communications, certain laws, regulations, and contractual commitments may require Digital Dames to notify various parties of some information security incidents. If applicable to a specific information security incident, as required, the IRT shall:
     1. Authorities. Notify applicable regulators, law enforcement, or other authorities.
     2. Affected Individuals. If an applicable breach of personal information occurs, prepare and distribute notifications to affected individuals.
     3. Cyber Insurance Carrier. Notify Digital Dames’ cyber insurance carrier according to the terms and conditions of its current policy, including filing a claim, if appropriate.
     4. Others. Notify clients or business partners according to current agreements.
• 6.7 Post-Incident Review. At a time reasonably within 10 days each identified information security incident, the information security coordinator, or a designate, shall reconvene the IRT, others who participated in response to the incident, and affected work group representatives, as appropriate, as a post-incident review team to assess the incident and Digital Dames’ response.
  1. Review Considerations. The post-incident review team shall consider Digital Dames’ effectiveness in detecting and responding to the incident and identify any gaps or opportunities for improvement. The post-incident review team shall also seek to identify one or more root causes for the incident and, according to risk, shall recommend appropriate actions to minimize the risks of recurrence.
  2. Report. The post-incident review team shall document its findings in a sufficiently detailed report.
  3. Follow-Up Actions. The information security coordinator shall monitor and coordinate completion of any follow-up actions identified by the post-incident review team, including communicating its recommendations to and seeking necessary authorization or support from Digital Dames leadership.

7. Plan Training and Testing.

• 7.1 Training. The information security coordinator shall develop, maintain, and deliver training regarding this IRP that periodically:
  1. (a) Informs all employees, and others who have access to Digital Dames’ IT systems, network, or data, about the IRP and how to recognize and report potential information security incidents.
  2. (b) Educates IRT members on their duties and expectations for responding to information security incidents.
     The information security coordinator may choose to include training on this IRP in other information security training activities, as defined in Digital Dames’ WISP available at WISP.
• 7.2 Testing. The information security coordinator shall coordinate exercises to test this IRP periodically. The information security coordinator shall document test results, lessons learned, and feedback and address them in plan reviews (see Section 8, Plan Review).

8. Plan Review. Digital Dames will review this IRP at least annually, or whenever there is a material change in Digital Dames’ business practices that may reasonably affect its cyber incident response procedures. Plan reviews will also include feedback collected from post-incident reviews and training and testing exercises. The information security coordinator must approve any changes to this IRP and is responsible for communicating changes to affected parties.

9. Effective Date. This IRP is effective as of Jan 1st 2022.

• 9.1 Revision History.
  1. (a) Original publication: Jan 1st 2022.
  2. (b) NOTE SUBSEQUENT REVISIONS.