Data Breach and Information Security Incident Procedure April 2022 Redacted.pdf

Data Breach and Information
Security Incident Procedure

Version: 6
Date Issue: April 2022
Review date: April 2024
Reference: WCCC-1073-648
Team: Legal Services & Information Governance
Protective Marking: Public

© Warwickshire County Council 2022

OFFICIAL - Internal

Warwickshire County Council – Data Breach and Information Security Incident Procedure

Contents
Introduction
3
Purpose
3
Scope
3
Identifying Incidents
4
Reporting Incidents
5
Incident Classification
5
Notifications
6
Incident Management
8
Stage 1 – Incident Notification
8
Stage 2 – Incident Assessment
8
Stage 3 – Incident Investigation
9
Stage 4 – Incident Review
9
Stage 5 – Incident Resolution
10
Stage 6 – Incident Monitoring & Closure
10
Appendix A - Incident Levels
11
Appendix B - Incident Flowchart
15
Appendix C - Legal Services Information Management (LSIM) Group
Terms of Reference
16
Appendix D - Cybersecurity Incident Response Procedure
17
Version history and approvals

V1
Information Governance Steering Group
November 2010
V2
SIRO, Monitoring Officer
October 2011
V3
Information Governance Steering Group
March 2012
V4
Information Governance Steering Group
April 2016
V5
Information Governance Steering Group
May 2018
Version 6
Page 2 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

1. Introduction

Warwickshire County Council (the “Council”) is committed to the protection of information
and has in place technical and organisational measures to safeguard the information it
owns. This includes technical security ranging from secure passwords and system
encryption, and organisational safeguards ranging from physical building and office security
to procedural standards and requirements for the safe handling and storage of information.
This procedure covers reporting of actual or suspected data security incidents that may be
data breaches.

These procedures are mandatory and must be followed by all staff as part of the Council’s
Information Governance Framework the standard for managing information in the council and
is one of the linked procedures in the Information Compliance policy aimed at all staff

2. Purpose

The Council recognises that from time to time ‘things go wrong’ and there may be a breach of
security involving information or equipment holding information. The purpose of this
procedure is to ensure that all actual or potential information security incidents are reported
centrally to enable the Council to react quickly and effectively to minimise the impact.
The aims of the procedure are as follows:
●  Timely advice on containment and risk management
●  Determine whether further controls or actions are required
●  Consider whether the incident is required to be notified to the Information
Commissioner’s Office (ICO) and/or the NHS, and the individual(s) affected by the
incident
●  Evaluate lessons learnt and areas for improvement
Al  information security incidents wil  be dealt with by the WCC ‘Incident Group’, which
comprises of lawyers from the Council’s Legal Services (Group Members) with a
nominated Incident Lead, who will review and advise on incidents and make
recommendations on appropriate follow up and corrective action. Specialist input will be
sought from the Data Protection Officer, ICT Security, or Information Governance where
necessary.

3. Scope

This procedure applies to all staff including employees, councillors, agency staff,
contractors, volunteers, or any other persons who have access to, or use the
Council’s information.

The Council requires organisations providing services that hold or process personal
  Version 6
Page 3 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

information on its behalf (i.e. acting as data processors) to have in place internal reporting
requirements equivalent to this procedure and for any third-party breaches to be reported
immediately to the WCC Data Protection Officer in the first instance.

4. Identifying Incidents

The General Data Protection Regulation (“GDPR”) defines a data breach as “a breach of
security leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Information security incidents can therefore cover a multitude of situations, but generally it
will involve an adverse event which results, or has the potential to result in the compromise,
misuse, or loss of WCC owned or held information or assets. Data breaches can be
categorised according to the following three information security principles:
●  Confidentiality breach – where there is an unauthorised or accidental
disclosure of, or access to, personal data
●  Availability breach – where there is an accidental or unauthorised loss of
access to, or destruction of, personal data
●  Integrity breach – where there is an unauthorised or accidental alteration of
personal data.

Information in this procedure is used as a collective term and may include personal or
sensitive/ special category personal data as defined under the data protection legislation (or
confidential personal data as commonly referred to in the health sector) and also business
information.
Some examples of information security incidents include (but are not limited to):
●  the loss or theft of information or equipment,
●  incorrect handling of protectively marked information,
●  poor physical security,
●  hacking,
●  information disclosed in error,
●  unauthorised use or access to information or systems.

The impact of a security incident can vary greatly depending on the type of information or
asset involved. It may for instance lead to an infringement of privacy, fraud, financial loss,
service disruption or reputational damage. The purpose of reporting an incident is not to
apportion blame but to ensure that any impact is minimised, and lessons learnt can be
identified and disseminated.
The principles of this procedure also apply to cyber incidents i.e. any incident that could or
has compromised ICT Services within the Council’s digital network for e.g. phishing
emails or hacking attacks. Any cyber-related incident will be handled in accordance with
the Council’s ICT Security Incident Response Procedure in Appendix D by the ICT
Security Incident Response Team (CERT).
In the event that a cyber incident also involves a data breach then it shall remain subject to
  Version 6
Page 4 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

this procedure and the Incident Lead (or Group Member) will work in conjunction with
CERT to resolve the incident and report to regulators as necessary.

5. Reporting Incidents

A direct line manager or supervisor should always be made aware of any information security
incident and the incident reported in line with this procedure.
All information security incidents should be reported immediately (and in any event within 4
hours) after an individual is aware of a potential or actual incident. Informing a line manager
or supervisor of an incident must not delay any incident being reported under this procedure.
The person reporting the incident should telephone the Council’s Corporate Legal Services
incident number Third Party
as soon as possible. They will ask questions required to
determine the risk and actions to be taken. Legal Services will report any incidents involving
lost or stolen equipment or a network security issue to the ICT Service Desk immediately. For
the purposes of this procedure lost or stolen hardware will be logged and may be subject to
further investigation depending on the circumstances giving cause to the incident. The Police
should be notified immediately of any incidents involving stolen information or equipment and
a crime reference number obtained. It is the individual who has had the equipment stolen that
is responsible for notifying the police.
If the information security incident is reported outside of office hours, then a message should
be left on the answerphone system.
The incident reporting procedures can be found on the Council’s intranet or via the
Information Governance data breach and security incident page at:
www.warwickshire.gov.uk/imincidents .

6. Incident Classification

The severity of an information security incident will be determined in accordance with the
incident ratings set out in Appendix A.
An incident wil  be rated in accordance with the Council’s corporate strategy to risk
management, which is based on agreed criteria for assessing the likelihood, severity,
and impact of risk.
Matters to consider would include:
- The nature, sensitivity, and volume of personal data;
- Ease of identification of individuals;
- Severity and adverse of consequences for individuals;
- Special characteristics of people that may be affected (e.g. age, vulnerabilities);
- The number of affected individuals;
  Version 6
Page 5 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

- The nature and role of the Council;
- Nature of breach (e.g. error, mistake, or intentional action and malicious);
- Financial or legal implications, and reputational damage.

It is difficult to provide a definitive list of incidents by level of risk as each case varies
depending on the circumstances, including containment and recovery, which may reduce or
escalate the level at any given point. An initial incident rating will be awarded upon incident
notification and may change once the facts and impact of risks has been determined.
Generally, the less serious incidents will involve encrypted data or low-level data including
near misses whereby the severity is reduced due to fortunate events. The more serious
incidents will involve high level data which poses actual or potential high risk to people’s
rights and freedoms or to the organisation e.g. through the loss or release of highly sensitive
personal or confidential business information.  These will be termed High Risk incidents.

7. Notifications

Internal Notifications

Aside from the initial reporting mentioned above, internal notifications will be determined
in accordance with the incident rating as set out in Appendix A.

It is important to notify key senior staff of the more serious incidents. Depending on the
level of risk and impact, internal notifications may be appropriate.

Where the level is as Amber (as set out in Appendix A) but is not deemed to be potentially
high-risk, the details will be escalated to the Monitoring Officer only.

Where the level is assessed as Amber and it is deemed to be potentially high-risk, it is
important to notify the Monitoring Officer, Data Protection Officer, Senior Information Risk
Owner (SIRO), Caldicott Guardian (if appropriate - see below), Assistant Director (if
appropriate) as soon as possible to assess whether it meets the threshold to report the
incident to the Information Commissioner’s Office (ICO).

Other key people may need notifying, depending on the nature of the breach, such as
Facilities Management, Human Resources, and ICT-Service Desk.  More particular,
Human Resources should be notified in the event of disregard for policy or Facilities
Management in the event of building security.

The Incident Lead (or Group Member) will make any notifications.
All incidents involving health and social care data where there is a risk to any individuals
must be reported to the relevant Caldicott Guardian.  The Caldicott Guardian plays a key role
in ensuring the Council, which has social care responsibilities, and partner organisations
satisfy the highest practical standards for handling service user’s identifiable information.

  Version 6
Page 6 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

External Notifications
ICO. Any incidents assessed as Amber and categorised as a high risk may amount to a
serious breach and require notification to the Information Commissioner’s Office (ICO) within
72 hours. There is a requirement to notify breaches to the ICO where it is likely to result in a
risk to people’s rights and freedoms. Where information is not available at the time of
reporting, it should be provided to the ICO as soon as it is available.
The Incident Lead or Group Member who has been allocated the breach to investigate will
be responsible for notifying the ICO where appropriate. Monitoring Officer’s prior approval
will be sought in relation to any incidents potentially requiring notification to the regulator
and the Data Protection Officer, SIRO and Caldicott Guardian (where appropriate as set
out above) will be consulted accordingly.
Data Subjects. There is a requirement to communicate a breach to data subjects where
there is any incident that it likely to result in a high risk to people’s rights and freedoms. The
data subject should be provided with:
●  the name and contact details of the Incident Lead, Data Protection Officer,
or another contact point where more information can be obtained;
●  the likely consequences of the personal data breach; and
●  a description of the measures taken, or proposed to be taken, to deal with the
personal data breach, including, where appropriate, the measures taken to mitigate
any possible adverse effects.

NHS Digital. Where public health or adult social care data is involved, the incident may
amount to a serious incident requiring investigation (SIRI) and require notification using NHS
Digital procedures. Depending on the severity this may be notified to the Information
Commissioner’s Office (ICO), and, where it is deemed necessary and appropriate (by using
the DSP Toolkit (or its equivalent)) to report to the NHS/Department of Health (DoH).
Monitoring Officer’s prior approval wil  be sought in relation to any incidents potentially
requiring notification to the regulator and the Caldicott Guardian, Data Protection Officer and
SIRO will be consulted accordingly.
The Incident Lead or Group Member will liaise with Information Governance to use the
IG/Data Protection & Security Toolkit to report this.

The Incident Lead or Group Member will provide advice on any other notifications as
appropriate for affected stakeholders.

  Version 6
Page 7 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

8. Incident Management

An incident flowchart can be found in Appendix B.

Stage 1 – Incident Notification
●  Any actual or suspected incident must be immediately reported (and in any event
within 4 hours) after becoming aware of the incident.
●  Telephone the Council’s Corporate Legal Services incident number at Shire Hal
Third Party
as soon as possible. They will ask questions and record the
incident. Any incidents involving lost or stolen equipment, or a network security
issue will be reported to the ICT Service Desk immediately.
●  When reporting the breach, the notifying officer that reports it will be required to
provide as many key details of the incident as possible including what happened,
when it occurred, what information or assets were compromised, number of people
affected, and any immediate action taken. Further information can be provided
once known by the notifying officer.
●  Where a member of the public, information sharing partner or supplier notifies
WCC of a breach, they will be directed to the Data Protection Officer in the first
instance who will notify Legal Services.

Stage 2 – Incident Assessment
●  Upon notification, the initial assessment of risk will be undertaken by the Data
Incident Assessment Officer (who is the relevant Group Member in Legal Services
who is on duty to assess incidents that day) to determine the severity of an incident
which will be determined by the incident rating (set out in Appendix A).  There will
be the appropriate internal notifications made as per the applicable rating (e.g.
considering likelihood and severity of the risks to and effects on the rights and
freedoms of data subjects – set out in section 6 above and Appendix A).
●  Any incident that is assessed as Green (as set out in Appendix A) will be
investigated in line with the standard data breach procedure.
●  Any incident that is assessed as Amber (as set out in Appendix A) will be
investigated by the Data Incident Assessment Officer or Incident Lead, the details
of which will be escalated to the Monitoring Officer.
●  Where the Data Incident Assessment Officer identifies an Amber incident, which is
potentially a high-risk incident, they will liaise with the Incident Lead.  Where
incidents are rated as high risk (based on the score given) the Data Incident
Assessment Officer alongside the Incident Lead (or appropriate Group Member in
the Incident Lead’s absence) shall always consider if a data security breach is to
be notified to the ICO or NHS Digital (for public health and adult social care data
using the NHS DSP Toolkit assessment tool as an initial assessment) (see section
7 above re external notifications). This assessment will be made as soon as
possible to ensure that any breach will be reported within a 72-hour deadline (the
72 hours beginning from when the individual is aware of the beach). Any reporting
to the ICO or other bodies will involve prior consultation with the Data Protection
Officer, SIRO and the Caldicott Guardian (if appropriate) and will always be
  Version 6
Page 8 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure
subject to Monitoring Officer approval.
●  Consideration will also be given as to whether any internal notifications need to be
made related to the breach (see section 7 above re internal notifications) and this
will be kept under review.
●  An incident rating may change once the full facts and impact of risks have been
determined and the status of the incident will be kept under review accordingly. In
addition, this may involve updating any reports to the ICO and/or other external
bodies and internal persons accordingly.

Stage 3 – Incident Investigation

●  Not all incidents will require an in-depth investigation to establish the facts and
determine what went wrong.
●  The level of detail provided when reporting the breach (together with any
information provided in the incident reporting form when completed) should
usually be sufficient to understand the incident.
●  Where an incident is assessed as Green, i.e., low and medium risk incidents, or Amber
but is not deemed to be high risk that should be reported to any of external regulators
as set out above, the Incident Lead (or one of the Group Members if the Incident Lead
is not available) will be nominated to investigate the incident.
●  If any additional information is required, then the Incident Lead (or relevant Group
Member) will contact the notifying officer or any other persons involved in the incident
to seek clarification or further information.
●  As mentioned at Stage 2 above, where an incident is assessed as Amber and is
deemed high risk (based on the score given) and may require reporting to the ICO
or any other relevant body, the Incident Lead and/or the Data Incident
Assessment Officer (or appropriate Group Member in their absence) will consult
the Data Protection officer and the ICT Security /ICT team (as appropriate) to
further assess the risk and identify any recommendations/actions. This will be
done immediately after the high-risk incident is reported and a meeting may be
convened (remotely or in person) to discuss the matter. Internal notifications
should also be considered (see section 7 above re internal notifications).
●  The investigation should be completed and returned as soon as possible,
considering the severity of the incident.

Stage 4 – Incident Review
●  The completed incident reporting form and any additional information or investigation
report will be reviewed by the Incident Lead (or in a case assessed as Amber and a
high-risk matter, the Data Incident Assessment Officer (or appropriate Group
Member in their absence) ).
●  A final incident report will be produced within 5-10 days (except in cases of high
risk incident, which will be completed sooner where possible) of the investigation
being completed setting out (i) observations and conclusions about any information
governance non-compliance issues, risks, adverse consequences or implications;
and (ii) remedial recommendations to mitigate the risks and impact including
preventative measures to address areas for improvement and training needs.
  Version 6
Page 9 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure
●  The completed incident reporting form and any additional information or
investigation report will then be reviewed by the Incident Group usually within 5 –
10 working days.
●  There will be a quarterly review by Legal Services   to identify any repeat or
previous similar incidents which will be shared with the SIRO and may result in
additional or escalated action.
●  This procedure is independent of a locally commissioned disciplinary
investigation, but the final incident report may inform any consequential action
taken or considered.
●  Where a matter has been reported to the ICO or any other statutory body, the
Incident Lead, or relevant Group Member, will continue to keep the ICO and
other bodies updated accordingly on the investigation, incident review and
outcome.

Stage 5 – Incident Resolution
●  The final incident report will be sent to the relevant Assistant Director to sign off and
accept the recommendations by appointing a responsible officer and target dates for
implementation.
●  It will also be shared with other key staff or specialist units in accordance with the
incident rating.
●  The signed report should be returned within 5 working days.
●  If for any reason a recommendation is rejected, then the Assistant Director must
specify the reasons why. The Incident Lead (or Group Member) may escalate the
matter in order to enforce implementation.

Stage 6 – Incident Monitoring & Closure
●  The responsible officer will be required to update the Incident Lead (or relevant
Group Member) in Legal to confirm when they have completed actions.
●  If the incident has been reported to the ICO/NHS or another regulatory body, a
final status and update will be recorded.
●  HR and Facilities Management will be required to feedback any action taken following
disciplinary investigations and facilities or building security checks.
●  The Information Governance Lead, Incident Lead (or any other Incident Group
member) shall report to the SIRO and the Caldicott Guardian (where appropriate) with
any recommendations for changes to corporate policies, procedures and training
including lessons learnt, and shall provide quarterly incident data to the Assistant
Director and SIRO.
●  Except in cases of low-risk incidents, an incident will only be closed when all
aspects including the monitoring log updates have been completed.

Note:
The Incident Lead (or Group Member) may become involved in an incident at any stage if
the investigation is not proceeding to a satisfactory outcome, and the matter may be
escalated to Strategic Director/SIRO/Monitoring Officer/Caldicott Guardian/Data
Protection Officer if the procedure is not being followed or making adequate progress.
  Version 6
Page 10 of 18

OFFICIAL - Internal

Warwickshire County Council – Data Breach and Information Security Incident Procedure

Appendix A - Incident Levels

Any incident must be graded according to the likelihood of serious consequences occurring
and the significance of the breach. The incident must be graded according to the impact on
the individual or groups of individuals and not the organisation – this can be a very subjective
grading.

The likelihood of the consequences occurring are graded on a scale of 1-5. One being a
non-occurrence and 5 indicating that it has occurred.

The significance is further graded by rating the incident on a scale of 1-5. One being the
lowest and 5 the highest.

An incident rating will be awarded upon reporting and may change once the full facts or
impact of risks has been determined.

Step 1: Grade the potential severity of the adverse effect on the individual/s and
select a score:

Score  Effect
Description
1
No adverse effect
There is absolute certainty that no
adverse effect for the individual/s can
arise from the breach
2
Potentially some minor adverse
A minor adverse effect may be just
effect.
inconvenience to those who needed
the data to do their job. It is more
likely to involve loss of limited
personal data in circumstances that
do not suggest anything more than
minor effects.
3
Potentially some adverse effect
An adverse effect could involve loss of
personal or sensitive data, but the
circumstances suggest that whilst
there could potentially be some effect
and disruption, it will not be serious for
any of the individuals involved.
4
Serious – potentially
There has been reported or suspected

suffering/financial loss
suffering and/or serious impact on
individuals and how they live their
lives; the impacts on health, family,
employment, financial, reputation and
life in general.

5
Very Serious
Individuals are severely affected by a
data breach, which could involve the
most serious cases, such as impact or
threat of an impact on the financial
security or life and safety of the

Version 6
Page 11 of 18

OFFICIAL - Internal

Warwickshire County Council – Data Breach and Information Security Incident Procedure
individual, i.e. the breach has placed
the data subject directly in harms’
way.  For example, disclosure of a
family member’s address to a violent
person where there is a strong
possibility there will be a threat to the
data subject’s life and/or safety.

Step 2: Establish the likelihood that adverse effect has occurred or will occur and
select the score.

Score  Likelihood
Description
1
Not occurred
There is absolute certainty that there
can be no adverse effect on anyone.
This may, for example include
evidence that the data was encrypted
and remotely wiped, such as loss of a
Council laptop or phone.
2
Not likely
There may not be absolute certainty
that there is no adverse effect, but it is
not likely. For example, an email could
have been sent internally disclosing
personal data to the wrong recipient.
The email was read, but the recipient
agreed to delete immediately. There
does not appear to be any likelihood
that the information may be used to
cause an adverse effect.
3
Likely
It is likely that there will be an
occurrence of an adverse effect
arising from the breach.  For example,
email disclosing location details of a
foster carer to the biological parents
where confidentiality was required,
and social worker has confirmed there
is a chance the biological parents may
use the information in the future.
4
Highly Likely
There is almost certainty that at some
point in the future an adverse effect
will happen.  For example, location of
a person subjected to domestic
violence has been disclosed to their
offending partner who has threatened
to use the data.
5
Occurred
There is a reported occurrence of an
adverse effect arising from the breach.
That is, something has already
happened to the data subject.

Version 6
Page 12 of 18

OFFICIAL - Internal

Warwickshire County Council – Data Breach and Information Security Incident Procedure

•
‘trusted’ partner - where the personal data is recovered from a trusted
partner/organisation, e.g. other local authority, NHS partner organisation, Police,
professional body to name a few.
•
cancel the effect of a breach - where the controller can null/severely mitigate against
the effect of any personal data breach.

Internal Notifications

Depending on the level of risk and impact, internal notifications may be appropriate.

Where an incident has been assessed as Amber and the level is deemed to be high risk, it is
important to notify the Data Protection Officer, Senior Information Risk Owner, Monitoring
Officer, Caldicott Guardian (if appropriate) and Assistant Director (if deemed appropriate) as
soon as possible.

Other key people may need teams may need notifying, depending on the nature of the
breach, such as Facilities Management, Human Resources, and ICT-Service Desk.

The Incident Lead (or Group Member) will make any notifications.

Version 6
Page 14 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

Appendix C - Incident Group Terms of Reference

The Council’s ‘Incident Group’ wil  set out a standard procedure for dealing with
information security incidents and the reporting and escalation of such events.
All information security incidents will be dealt with by the Incident Group, which comprises of
lawyers from the Council’s Corporate Legal Service (Group Members) with a nominated
Incident Lead, Information Governance and ICT Security (or its equivalent), who will review
and advise on incidents and make recommendations on appropriate follow up and
corrective action. ICT will implement any immediate infrastructure actions required.

Incident Group Membership
Legal Services: Senior Legal Assistant (Incident Lead)
Legal Services: Senior Solicitor / Solicitor (Group Member)
  Information Governance
ICT Security
Data Protection Officer

Terms of reference
Areas include:
●  develop corporate and consistent response to information incidents including any that
may be required to be notified to the ICO and communicated to the data subject(s)
●  oversee, develop terms of reference for, incident investigations
●  offer guidance on data incidents and on best practice
●  make recommendations for remedial actions and improvements
●  work with the DPO to address and reduce breaches
●  link to HR for any possible disciplinary action
●  link to Caldicott Guardians for health or adult social care data
●  link to ICT or Information Governance for any corrective action
●  link to Facilities Management for office security and CCTV
●  link to Risk and Assurance for corrective action and risk awareness
●  report to Senior Information Risk Owner and / or Monitoring Officer
●  report to Information Governance Steering Group
●  report to regulators as appropriate
●  monitor implementation of remedial actions and improvements
●  identify trends and areas for greater local or corporate focus.
  Version 6
Page 16 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

Appendix D – ICT Security Incident Response Procedure

Identification
Potential ICT Security Incident are investigated by the ICT Services Response Team
(CERT) using information from the following sources:
1.  Contact from users: A user or system administrator of a computer system on the
WCC network contacts ICT Services and reports indications that their system has
been compromised.
2.  Contact from external users: Users from remote sites contacts ICT Services CERT
with reports that systems under their control have been compromised, and forensic analysis
reveals that they had been used to launch attacks against systems on the WCC network.
3.  Contact from external organisations: Incident reports/notifications from external
security/notification organisations that indicate that a system under our control has
been compromised and is launching attacks against systems external to the WCC
network.
4.  Trouble reports/passive monitoring: Complaints about network performance or routine
network analysis reveal excessive or suspicious traffic originating from one or more
computers on the WCC network.
5.  Active network monitoring: Reports from Intrusion Detection Systems indicates
inappropriate, incorrect, or anomalous activity.
Assessment
Once a potential problem has been identified, ICT Services CERT will analyse and
attempt to confirm that it is the result of a security incident. This may include traffic flow
recording, packet capture and/or contacting the user of the affected system(s).
This allows ICT Services CERT to determine the likelihood that a security incident has
occurred and what level of threat it poses to the network as a whole. Occasionally, this
process will result in very brief interruptions of network service, but ICT Services CERT will
make every effort to minimize these.
Incidents can be broadly categorized as a:
1.  Compromised computer is actively causing widespread problems affecting a number
of networks or computers either at WCC or elsewhere.
2.  Computer is transferring confidential and/or sensitive information to an unauthorized
user.
3.  Computer, critical to the business functions of WCC, is compromised but is not
actively causing problems.
4.  Violation is reported to ICT Services CERT via external organisations.
5.  Computer is believed to be vulnerable to a known exploit.
Contain and Eradicate
Once a security incident has been positively identified, ICT Services CERT will act to
isolate the affected machine(s). Compromised hosts are often the source of DoS attacks,
  Version 6
Page 17 of 18

OFFICIAL - Internal

  Warwickshire County Council – Data Breach and Information Security Incident Procedure

which greatly degrade the performance of the WCC network and can also be used as
launching points for attacks against other systems, potentially opening the Council to legal
liability. Consequently, ICT Services CERT must act to remedy security problems
immediately.
In serious cases, ICT Services CERT may be required to work with the Police as
directed by the Council.
Notification
In the case of a compromised computer that is actively causing widespread problems
affecting networks or computers at WCC or elsewhere, ICT Services CERT will take
immediate steps to disconnect the computer from the network, notifying and working with the
user.
In the case of a computer which is compromised but not actively causing problems, Network
staff will immediately notify the user and request that he/she disconnect it from the network.
In the case of a violation report from an external organisation, ICT Services CERT will
disconnect the computer from the network, and request that the user explain their actions
and/or allow ICT Services CERT to analyse the system.
Follow up
Once a computer has been disconnected from the network, it is then ICT Services I.A.
Once the computer is secured, it is the owner's responsibility to contact ICT Services
CERT, who will then allow it to be reconnected to the network. At this point, a security scan
will be run to verify that the system has been secured. Results will be forwarded to the
computer owner.
Refusal by the system's owner to fully co-operate with requests from ICT Services
CERT will be notified to their Assistant Director and relevant Strategic Director.
The CERT Team

The CERT Team will be made up from representatives from all relevant areas that need to
be involved; this will include (but not limited to):
1.  ICT Operations
2.  ICT Communications
3.  Senior representative to make strategic decisions efficiently

  Version 6
Page 18 of 18

OFFICIAL - Internal