The most important element of this activity is that the organisation has implemented a plan for incident response handling (prepared during the release activity) and follows it.
The organisation must be prepared to handle incidents, security breaches, and attacks that can result in breaches of confidentiality, integrity, or availability relating to personal data. It should have a response centre that can handle incidents and deliver updates, guidelines, and information to users and data subjects.
The target group for this activity is primarily the response incident team, security advisors, and data protection officers, as well as maintenance, service, and operation staff.
Handling incidents and data breaches
The organisation should operate an incident response plan. When critical incidents occur, it is important to remain calm and analyse the incident in a comprehensive manner. Note that the nature of the incident may result in changes to how the plan is being executed. The response incident team should know whom to contact when necessary, and who is responsible for building, testing, and installing updates. The response incident team should also know which priorities apply, as well as exactly what they can and should do in the event of a crisis. In order to achieve this, staff requires periodic incident response training. For more information on how to do incident response training, see the Agency for Public Management and eGovernment’s (Difi) guidelines for planning and conducting ICT drills.
Incidents should be reported to a defined point of contact or response incident centre that handles internal and external incidents. Incidents should be reported via the defined channels described in the incident response plan developed during the release activity. Users of the software should be encouraged to report errors, vulnerabilities, and data breaches, so that the software can be continually improved and further developed. Incident assessments should also follow this plan.
Maintenance, service and operation of the software
Follow the organisation’s procedures for maintenance, service and operation of the software. This includes procedures for a continuous safeguarding of data protection and security. Examples of such procedures are regular security testing, vulnerability analysis, and penetration testing of software, infrastructure and network. The procedures should include error debugging, performance improvements, updates, and patching, of both the software and third-party components. It is important to define what can and what should be logged. The company must also have the capability to regularly secure, monitor, and handle incidents in the logs. Note that personal data being logged one place is often exported to other applications and may become available to more people than those who are authorised (privilege escalation).
Conduct regular external and internal audits to document compliance with relevant regulations.
The company should have a management system for data protection and information security that includes procurement, maintenance, service and operation. The management system should be established in accordance with recognised frameworks, such as: