Data Breach Risk Assessment Procedure ([RES-PROC-002])
1. Purpose
To guide the Security Officer and Incident Response Team through the formal risk assessment process to determine if a security incident qualifies as a notifiable data breach requiring customer and regulatory notification.
2. Scope
This procedure applies to any security incident involving the potential compromise of sensitive customer or company data.
3. Overview
This procedure details the steps for conducting a formal risk assessment to determine the probability that sensitive data has been compromised and whether breach notification requirements apply.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Security Officer / IRT | Determine if the security incident involves sensitive customer data or confidential company information. |
| 2 | Security Officer / IRT | Assess the probability that sensitive data has been compromised by evaluating the following factors: - The nature and extent of the data involved. - The unauthorized person who accessed the data or to whom it was disclosed. - Whether the data was actually acquired or viewed. - The extent to which the risk to the data has been mitigated. |
| 3 | Security Officer | Document the complete risk assessment findings and the final rationale for the determination (i.e., whether it constitutes a notifiable breach) on the Data Breach Risk Assessment form. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-3 | SOC 2 Trust Services Criteria | CC7.3 - Risk Monitoring |
6. Artifact(s)
A completed and signed Data Breach Risk Assessment form.
7. Definitions
Sensitive Data: Customer information, financial data, personal information, or confidential business information that requires protection under applicable regulations or contractual obligations.
Data Breach: The unauthorized acquisition, access, use, or disclosure of sensitive data that compromises the security, confidentiality, or integrity of the information.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Privacy Officer | Leads the breach risk assessment process and makes the final determination of a notifiable breach. |
| Incident Response Team (IRT) | Provides technical details and context about the security incident to support the risk assessment. |