Information Security Incident Policy

Policy guidelines on how to deal with a IT security incident, such as a data breach


The purpose of this policy is to give a clear definition of information technology related roles and responsibilities to conduct an investigation and description of the requirements to respond to any computer security incidents and data breaches when it occurs.


All employee and personnel needs to urgently report any known or suspected information security and confidentiality violations to company IT, including the following:

  • Infrastructure Incident: any actions or suspected incidents that could be a threat to cause failure, interruption, or losing access to any company Information resources.
  • Data Incident: any threat, loss, theft or compromising company data.
  • Unauthorized access incident: any illegal access to a company information resources.
  • Potential incidents and any threats reported from event logging, login notifications, and monitoring activities should be reported.
  • Any reported incidents that were recorded needs to be investigated to validate the type of threat and conduct immediate response procedures if needed.


This policy is applicable to information systems, regardless of ownership or location, used to store or gather information, process, transmitting or receiving company data from employees, personnel, contractors, those employed by contracted entities and other authorized personnel that have an access to the company assets and information resources.


  • Computer Security Incident Response Team (CSIRT) is the team of employees responsible for receiving, reviewing and coordinating the response to computer security incident reports and activity involving company and/or Information Systems.
  • BrandRamp Data is any data format that is gathered, developed, maintained or managed by or on behalf of BrandRamp, or within the scope of the business activities. The terms ‘data’ and ‘ information’ are used interchangeably in the context of the information security program.
  • Restricted Data is data that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to client’s personal information, credit card numbers, bank ACH information,, and export controlled technical data.
  • Data Breach is unauthorized access, acquisition, use or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a privacy investigation and risk assessment.
  • Incidents are an event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of company data or information systems; or a real or suspected action, inconsistent with the company or Acceptable Use policies.
  • Information System is an individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include ecommerce software, and associated PCs or the set of desktop computers used to perform general duties in a department.
  • High Severity Incidents are IT security incidents which involve a confirmed or suspected restricted data breach or have more than a minor impact on operations. High severity incidents require the activation of Company’s Incident Response procedures.


These procedures are for the company’s personnel and other IT staff to follow whenever an incident occured or observed during the operation or within the unit.

  1. Evaluate severity level. Any security incident involving an information system used to store, transmit or process Restricted Data or a security incident that results in degraded performance of a Company IT asset, which represents more than a minor impact on operations, is considered a high-severity incident. High-severity incidents should be reported immediately.
  2. Report high-severity incidents by sending email to <>. Include a brief description of the incident and who should be contacted for more information. See “How to Report a Security Incident” below for specific contact details.
  3. Protect the evidence
    1. Do not access (logon) or alter the affected IT asset
    2. Do not power off or log off the affected IT asset
    3. Unplug the network cable from the affected IT asset, network port or wall-jack
    4. Physically label the IT asset, directing others to not touch or use the IT asset
  4. Document the following, provide as much specificity as possible:
    1. When and how was the incident detected?
    2. What actions have been taken so far? Include the date/time, location, person(s) involved and actions taken for each step.
    3. The type of data the affected IT asset is used to store, transmit or process
  5. Anticipate that the Computer Security Incident Response Team (CSIRT) will collect all related system or service logs and ancillary electronic evidence
  6. Be prepared to assist the Company CSIRT as they investigate the incident
  7. All reported high-severity security events and/or incidents shall be promptly investigated and documented by the Computer Security Incident Response Team (CSIRT) in accordance with Company’s Information Security Incident Response Plan. The CSIRT is authorized to direct all incident response activities including, when necessary, containment and remediation tasks necessary to protect all IT resources.


Report incidents by sending email to <>

Share the following details, provide as much specificity as possible:

  1. When and how was the incident detected?
  2. Who should be contacted for more information?
  3. What actions have been taken so far? Include the date/time, location, person(s) involved and actions taken for each step.
  4. The type of data the affected IT asset is used to store, transmit or process


1. All employees are responsible for promptly reporting any suspected or confirmed security incident involving BrandRamp or an associated information system, even if they have contributed in some way to the event or incident. Reports are to be made to the Computer Security Incident Response Team (CSIRT) <>

Employees must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.

2. Managers are responsible for unit procedures to train users to recognize and report information security incidents. 

3. Managers are responsible for responding to, and periodic reporting on, Low Severity security incidents. High Severity incidents reported to or discovered by team members are to be promptly reported to the Computer Security Incident Response Team (CSIRT).

4. The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the Computer Security Incident Response Plan.

5. The Chief Technology Officer is responsible for staffing the CSIRT, and augments staff with subject matter experts and/or surge staffing as necessary.


Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.


This policy was adopted on Sep 2, 2022