top of page

Privacy Policy

Information Security and Scope Policy 

The information security policy has been prepared to ensure that all employees, and contractors of True Impact Marketing inc.(“True Impact”) have an informed understanding of the True Impact’s policies and procedures and to ensure that they are applied in a consistent manner.  

​

These Security Policies globally apply to all full and part-time employees and contractors of the True Impact.

Purpose

True Impact and its management are committed to establishing and maintaining secure environments in which to conduct business. The purpose of these information security policies is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 

The major goals of these information security policies are to provide:

  • an overall framework to guide True Impact personnel when implementing network security policies and procedures for the True Impact’s computing devices and other information assets;

  • guidance to all employees and contractors on the proper handling of True Impact’s confidential and personal information;

  • the standard for security training and educational awareness programs developed by the True Impact;

  • the standard information security controls and procedures for each platform, operating system, application, and security device that can then be monitored and enforced against the policies; and 

  • protection from unauthorized access, disclosure, use, modification or destruction of the True Impact’s information and information systems, in a manner consistent with their value, sensitivity and criticality. 

Scope of Policies

These policies and integrated guidelines apply to all of the True Impact’s employees, and contractors who have access to True Impact data, computing devices and/or systems.  The information security policies include:

  1. Information Security Training Policy

  2. Acceptable Use Policy

  3. Data Classification Framework

  4. Password and Access Management Policy

  5. Encryption Policy

  6. Backup and Recovery Policy

  7. Data Retention and Disposal Policy

  8. Patch Management Policy

  9. Network Security Policy

  10. Information Security Incident Management and Response Procedures

​

Information Security Training Policy
Purpose

This policy covers the requirements for employee information security training at True Impact Marketing Inc.

Scope

This policy applies to all employees and contractors who have access to True Impact’s data, computing devices, and/or information systems.

Policy

The True Impact maintains information security policies that address requirements created by the True Impact’s business strategy, regulations, legislation, contracts and the True Impact’s current and projected security threat environments. These information security policies define the objectives, information security responsibilities and roles, and the processes for handling deviations and exceptions.

These information security policies are published and communicated to all of the True Impact’s employees and any relevant contractors. Further, these information security policies include mandates for the implementation of information security controls and direction on how to address the needs of certain target groups within the True Impact.

Applicable information security policies are communicated to the True Impact’s employees and contractors, in a form that is accessible with clear direction to the intended reader.

The True Impact provides training to educate users about information security risks and to ensure that users are aware of the physical and logical controls put in place to protect confidential and personal information (e.g. policies requiring users to ensure that devices and documents are not left unattended and awareness of required software controls installed on mobile devices).

Annual Training

Information security awareness training must be completed by all employees every 12 months.  This training is documented to confirm attendance and followed by a quiz to assess comprehension of at least the following topics:

  • Approved information security policies;

  • Acceptable use of True Impact email, computing devices, internet and applications;

  • Use of approved/licensed software;

  • Password and access management policy;

  • Remote access policies;

  • Encryption policy;

  • Privacy policy;

  • Safe use of the internet and social media;

  • Requirement to promptly report information security incidents including observed security weaknesses;

  • Identification of malicious emails and links;

  • Situational awareness for emerging threats (e.g. phishing, ransomware, etc.); and

  • Physical security of confidential and personal information (clean desktop).

​

Acceptable Use Policy
Purpose

This policy outlines required security controls as well as the acceptable use of information technology equipment, connectivity and systems at True Impact Marketing Inc. These rules are in place to protect both the employee and True Impact. Inappropriate use exposes True Impact to risks including virus attacks, compromise of network systems, services and data, legal issues and loss of sales.

Scope

This policy applies to all employees and to contractors who have access to True Impact’s data, computing devices and/or information systems.

Policy

  • True Impact’s proprietary information stored on electronic and computing devices, whether owned or leased by True Impact, the employee or a contractor, remains the sole property of True Impact. 

  • Everyone who has access to this information must ensure through legal or technical means that confidential information is protected.

  • Everyone has a responsibility to promptly report the theft, unauthorized access or loss or unauthorized disclosure of confidential or personal information.

  • Access, use, or sharing of confidential or personal information must only be to the extent it is authorized and necessary to fulfill assigned job duties.

  • Employees shall use only software that is approved and licensed for their use by True Impact.

  • Employees are responsible for exercising good judgment regarding the reasonableness of personal use. If there is any uncertainty, employees should consult their manager.

  • For security and network maintenance purposes, authorized individuals within True Impact may monitor equipment, systems and network traffic at any time.

  • True Impact reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

​

Security and Confidential Information

  • The safe-keeping of all work-related access credentials (usernames and passwords) is the responsibility of employees.

  • Employees must use extreme caution when opening e-mail attachments received from unknown senders as they may contain malware. 

    • If suspicious of a phishing attempt, carefully check the email address for typos and try to confirm the email was intended by communicating with the sender through a different method of communication, such as the telephone. 

  • All True Impact content, data, documentation and research materials shall be shared or transferred to the customer using approved secure and encrypted methods

 

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee authorized to engage in any activity that is illegal under local, provincial, federal or international law while utilizing True Impact owned resources. 

The following activities are strictly prohibited, with no exceptions:

  • Violations of the rights of any person or True Impact protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by True Impact.

  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software that has not been approved and licensed by True Impact.

  • Accessing data, a server or an account without proper authorization.

  • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

  • Revealing your account’s password (or any other individual access credentials) to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

  • Using the True Impact’s computing assets to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

  • Making fraudulent offers of products, items, or services originating from any True Impact account.

  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

  • Circumventing user authentication or security of any host, network or account.

  • Writing or using software with malicious intent. This includes running DDoS attacks or writing code to disrupt the normal operation of client systems.

  • Tests of potential information security weaknesses by unauthorized individuals (employees/contractors who observe weaknesses in the True Impact’s information security system are required to report those weaknesses as part of the True Impact’s Incident Management Response Procedures).

  • Providing information about, or lists of, True Impact’s employees to parties outside True Impact.

 

Unauthorized use, collection, disposal, destruction, encryption, alteration or disclosure of any of True Impact’s confidential information including personal information or information obtained from clients. Email

  • Do not send unsolicited email messages, including advertising material to individuals who did not specifically request it. 

  • Do not use True Impact email with the intent of harassing the email recipient.

  • Do not access other email accounts that you are not authorized for.

  • Do not forge email header information. 

  • Do not create or forward emails for the purpose of "chain letters", "Ponzi" or other "pyramid" schemes of any type. 

Internet Access

  • Employees are not permitted to use True Impact internet to download illegal materials.

  • Employees are not permitted to use internal True Impact internet access for personal commercial ventures (e.g., cryptocurrency mining).

  • Employees should use their own discretion to avoid excessive data use. 

  • Do not use internet access for malicious activities (e.g., launching DDOS attacks or security scans).

Mobile and BYOD Devices

  • Employee’s personal mobile devices are allowed to be used for phone calls, True Impact managed email, and True Impact’s approved internal messaging system.

  • Employee’s personal mobile devices are only allowed to connect to the True Impact’s “Guest” WiFi network.  

Remote Access

Authorization and management approval must be obtained before remote access rights to the True Impact’s information systems will be granted. Where remote access has been granted, users must: 

  • use strong authentication techniques (multi-factor authentication) for user account login and passwords;

  • use secure and approved True Impact VPN hardware and/or software; and

  • prevent unauthorized access to such offsite equipment while connected remotely to the True Impact VPN hardware and/or software.

 

Data Classification framework
Purpose

This classification scheme categorizes the information and related assets at True Impact Marketing Inc. The True Impact’s scheme includes conventions for classification and criteria for review of the classifications over time. Depending on the classification, protective controls are placed on information assets to protect its confidentiality, integrity and availability. The level of protection that these controls afford is commensurate with the criticality, value, sensitivity and legal requirements associated with the information it protects.

Classification

Class 1 – Open or Public Information

Information that is open to sharing and distribution - if disclosed outside the True Impact, would not harm the True Impact, its employees, customers, or suppliers.

Class 2 – Sensitive or Internal Information

Information for Internal use - not sensitive to disclosure within the True Impact, but could harm the True Impact if disclosed externally.  May be shared under agreement or with authorization.

Class 3 – Confidential Information

"Need to know" information such as personally identifiable information or client data for a research project that is not to be shared except with authorized individuals. Controlled by Data Owners (for example, senior executive with ultimate oversight of the data), and protected by Data Custodians (for example, the information technology staff/resources). Confidential information is considered critical to True Impact operations. Data Owners make classification decisions based on risk and client preference. They can delegate data management responsibilities to Data Stewards who are responsible for collecting, modifying and analyzing data.  

Classified Handling of Assets and Procedures for Classifying Information

The True Impact shall develop and implement policies for handling, processing, storing and communicating Information that are consistent with the True Impact’s information Classification scheme.

​

​

​

predictive eye tracking technology Policy Security Roles
predictive eye tracking technology Roles Permissions

Note: By default, risk levels are more heavily weighted towards the impact of privacy, confidentiality, integrity and availability on clients, individuals and the True Impact than on the general threat of loss.​​

Password and Access Management Policy
Purpose

This policy outlines the reasonable security practices that all users and employees must follow in the selection and use of passwords to protect the assets and property of True Impact Marketing Inc and its clients. It also describes the scenarios leading to account lockouts and access removal.

Scope

This policy applies to all employees and to contractors who have access to True Impact’s data, computing devices and/or information systems.

Policy

When selecting and using a password, all users are required to

  • keep passwords confidential, ensuring that it is not divulged to any other parties;

  • avoid keeping a record of the password, unless the method used is private, secure and has been approved;

  • change passwords immediately whenever there is any indication of a suspected compromise;

  • use quality passwords that adhere to the following rules:

    • are easy to remember;

    • not based on anything somebody else could easily guess or obtain using person related information (e.g. names, telephone numbers and date of birth, etc.);

    • contain a minimum of eight (8) characters;

    • contain a combination of at least one number, one upper case letter, one lower case letter and one special character;

    • free of consecutive identical, all-numeric or all-alphabetic characters; and

    • if temporary, are changed at first log-in;

  • avoid sharing passwords;

  • if necessary, communicate passwords over secure communication lines;

  • change passwords at regular intervals; and

  • not reuse passwords.

Password Change

Passwords of employees and business applications must be changed every year. Passwords may not be reused within a twenty-four (24) month period.

Account Lockout/Removal Requirements

Secure login procedures shall be established to minimize the opportunity for unauthorized access. The True Impact’s login procedure shall include the following controls: 

  • accounts shall be locked out after five (5) unsuccessful login attempts;

  • locked-out accounts shall remain locked for at least fifteen (15) minutes; 

  • logs will be kept for unsuccessful login attempts, including the date, time and relevant details;

  • initiate a security event if a potential security breach of login controls is detected;

  • termination/disabling of inactive accounts after ninety (90) days of inactivity;

  • access to accounts will be reviewed at least annually to ensure access is limited to employees and contractors who continue to require access; and

  • account access to all systems will be promptly revoked upon termination/departure of an employee or contractor.

 

 

Encryption Policy
Purpose

The encryption policy describes how True Impact Marketing Inc uses cryptographic controls to ensure and protect the confidentiality, authenticity and/or integrity of the True Impact’s research, data and information classified as sensitive, confidential or secret.

Scope

This policy applies to the handling of all sensitive, confidential, and secret information by all employees and contractors who have access to sensitive, confidential and secret information.

use of cryptographic controls

The True Impact uses cryptographic controls for the protection of confidential information such as: 

  • Collection of personally identifiable information from research participants;

  • Exchanging of private and/or confidential information with clients and third-party data processors; and 

  • Remote access of information by employees, consultants and contractors. 

Data at Rest

  • All sensitive, confidential and secret information at rest on a network or True Impact approved laptop/computer is fully encrypted using AES-128 or AES-256.   

  • Storing of confidential information on portal computing devices including mobile phones, USB devices and other portable storage is to be avoided.  Where there is a need to store confidential information on a portable computing device, the device must be fully encrypted and have appropriate anti-malware/virus protection in place.  Portable computing devices must not be used for long term storage of confidential information and all confidential information must be promptly and permanently deleted following its required use.

Data in Transit

  • All sensitive, confidential and secret Information that is transferred via a web interface is encrypted using TLS 1.2 or TLS 1.3.

  • All True Impact websites and connections that run over the public Internet must use HTTPS to indicate the encryption of data in transit.

  • All remote access to the True Impact’s network is secured using a True Impact approved VPN

  • WiFi access is secured using WPA2 or better.


 

Backup and Recovery Policy
Purpose

The backup and recovery policy at True Impact Marketing Inc ensures that essential information and software can be recovered following loss including from accidental deletion, a disaster or a media failure.

Scope

The backup and recovery policy covers all network systems and databases.  Data stored locally on computing devices (e.g. laptops, tablets, phones, portable storage devices, etc.) are not covered by backups.  Users are responsible for ensuring that essential information that requires backup are stored on the True Impact’s network in folders that are included in backups. 

Policy

Full backups are performed weekly and are retained for 5 weeks.  Incremental backups are performed on a daily basis and retained for 10 days.  The last weekly backup of a month will be marked as a monthly backup and be retained for a minimum of 13 months.

Following their retention schedule, all backups are permanently deleted.

Monthly backups will be stored offsite in a secure and fire proof environment.

Location of offsite backups is sufficiently far to escape damage from a disaster at the main site.

All backups are transferred securely (using TLS 1.2 or 1.3) and stored in an encrypted format (AES 128 or AES 256).

True Impact will clearly communicate to users what folders are included in backups and users are required to store essential business information within those folders.

Restoration procedures are documented and copies of such documentation is stored at a remote location that is a sufficient distance away from the main site such that it will not be affected by a disaster.

 

A test of restoration of backups is performed at least once annually to ensure that backup media, backup processes, and restoration processes can be relied upon in emergency situations.

 

Data Retention and Disposal Policy
Purpose

This policy outlines the length of time that data is retained by True Impact Marketing Inc and describes the process by which that data is disposed of.  The policy ensures that sensitive, confidential and secret information is stored only as long as required and that data that is no longer needed is properly sanitized and disposed of.

Scope

The data retention and disposal policy applied to all sensitive, confidential and secret information that is retained by the True Impact.  The policy covers data in digital and hard copy (e.g., printed) forms.

Policy

True Impact retains confidential and personally identifiable information for as long as necessary to fulfill the purpose for which it was collected or as otherwise permitted or required by law. Once this purpose has been fulfilled, subject to any legal exceptions, the True Impact destroys the information in a secure manner that protects the confidentiality of the information and the privacy of the individual to whom the information relates.

The following describes the retention period for specific types of confidential and personal information:

  1. Personal information collected through research is retained for any necessary administration and/or quality control period or as agreed with participant(s).

  2. Confidential information from clients and third-parties is retained as long as required to fulfill obligations in contractual agreements.

  3. Research records that are required to enable project traceability and replicability are retained for a minimum of 24 months or as agreed to by the client.  Primary records are retained for 12 months or as agreed by the client.

  4. Tax and financial records including, but not limited to, documents concerning payroll, expenses, vendor invoices, financial statements, bank reconciliations, bank deposits, journal entries, tax returns, and other documents concerning the True Impact's finances are retained for six years plus the current year. 

  5. Employment Records / Personnel Records including recruitment, employment and personnel information, including performance reviews, are retained for six years plus the current year. 

  6. Board of Directors Minutes and Resolutions are retained in perpetuity in the True Impact's minute book.  

  7. Sales Documents (customer orders, purchase orders, shipping confirmations, etc.) are retained for three years plus the current year. Electronic copies of invoices, purchase orders, accounts payable records, etc. are kept for six years plus the current year within the ERP system.

  8. Contracts and Leases entered into by the True Impact are retained for three years beyond the life of the agreement.

All documents and media that contains confidential or personal information that is no longer functional or required is securely wiped or verifiably destroyed to ensure that data is not recoverable under any circumstances. Hard copy documents will be destroyed by shredding.  Physical media or drives will be formatted for reuse or destroyed by proven means to destroy such media.

​

Professional service providers that are used to destroy documents and media are required to provide a Record of Destruction that is retained by True Impact.

​

This policy is reviewed annually and updated as required.

 

Patch Management Policy
Purpose

This policy outlines the procedures for promptly applying patches to operating software and applications used by True Impact Marketing Inc to reduce vulnerability and minimize security risks.

Scope

The patch management policy applies to all operating software and applications authorized for use by the True Impact including software on networks and on other authorized computing devices.

Policy

True Impact regularly monitors for and reviews all available patches to the True Impact’s operating systems and software applications. 

Patches that address critical vulnerabilities shall be reviewed and applied as soon as possible.  Patches that address other vulnerabilities should be applied within 30 days of release by the vendor where possible.

All other patches are reviewed promptly.  Patches deemed beneficial will be tested and, upon acceptance, applied as part of normal maintenance.

 

Network security Policy
Purpose

This network security policy outlines the administrative, technical and physical controls and procedures in place at True Impact Marketing Inc to protect the security of its network.   

Scope

The network security policy applies to all True Impact networks and information systems.

Policy

The True Impact’s network is managed and controlled to protect information stored in its systems and applications. The True Impact uses the following controls to protect its networks from unauthorized access:

  • User access is restricted to the minimum functionality required to perform their tasks;

  • User access to the network and/or specific functionality is revoked when no longer needed or upon their departure from the True Impact;

  • Network administrators are provisioned with separate accounts for performing administrative activities and for regular user level activity;

  • Special controls as defined in the True Impact’s Encryption Policy are used to safeguard the confidentiality and integrity of data passing over public or wireless networks;  

  • Logging and monitoring are used to record and detect actions that may affect the True Impact’s network security; and

  • Authentication procedures are used to control access to systems on the True Impact’s networks.

Firewall, Intrusion Detection and Protective Network Controls

The True Impact’s network services include the following controls: 

  • Firewalls: all network services are protected by firewalls that:

    • deny all inbound traffic unless otherwise explicitly authorized;

    • deny all inbound traffic stemming from internal VLAN addresses;

    • create a boundary between its corporate network and the Internet

    • provide specificity around Supported Protocol, Port, direction, and devices;

    • log all connection attempts that have been denied by the preceding rules; and

    • log all logins and login attempts centrally for reporting and investigation

 

  • Intrusion prevention systems and/or intrusion detection systems (IDS/IPS): all network services are protected by an intrusion prevention system and/or an intrusion detection system to:

    • identify any malicious or suspicious network activity; 

    • log all malicious or suspicious network activity;

    • attempt to block or prevent malicious or suspicious network activity; and 

    • report all malicious or suspicious network activity.

 

Other Protective Controls

  • To help prevent unauthorized access, the True Impact employs logistical separation of its internal network from the outside internet.  

  • DNS firewalls are in place to prevent network users and systems from connecting to known malicious Internet Locations.

  • Visitor access to WiFi does not connect to True Impact’s internal network or resources such as printers.

  • DMARC is implemented on all of the True Impact’s email services.

  • Staff and contractors are required to secure computing devices when not in use.

 

 

Information Security Incident Management and Response Procedures
Purpose

This document establishes management responsibilities and procedures to ensure a quick and effective response to information security incidents at True Impact Marketing Inc.  An information security incident is any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.  The incident management and response procedures define the roles and responsibilities of individuals involved and the actions that will be taken in response to an incident.  The goal is to respond promptly to any incidents and identify actions that can be taken to reduce the likelihood of an incident recurring. 

Scope

The incident management and response plan apply to all information systems and computing devices and to all True Impact’s data.  The policy applies to all of the True Impact’s staff and all independent contractors.  Security incidents that must be reported include but are not limited to:

  • observed weaknesses in the True Impact’s information security systems and controls;

  • breach of information integrity, confidentiality or availability expectations; 

  • human errors;

  • non-compliances with policies or guidelines;

  • breaches of physical security arrangements; 

  • uncontrolled system changes; 

  • malfunction of software or hardware;

  • access violations; and

  • loss of data or system Information (e.g., due to theft, lost devices, corrupted drives, etc.).

Incident Management Response Team

The following individuals at the True Impact have responsibility for the following roles as part of the Incident Management Response Team: (note: in smaller companies, the same individual might hold multiple roles.  In larger companies, these roles might be further divided.)

Information Security Lead - CTO at True Impact is designated as the information security lead.  The information security lead is responsible for documenting the incident, investigating the incident and coordinating a response to the incident.

Information Security Executive - CTO at True Impact is the executive with overall accountability for an information security incident.

Communications Lead – CEO at True Impact is designated as the Communications Lead and is responsible for managing communications related to the incident both internally and externally.

Chief Privacy Officer – CEO at True Impact is the executive with overall responsibility for the True Impact’s compliance with its privacy policy and applicable privacy legislation.

Human Resource Lead – CEO at True Impact is part of the team when an employee is discovered to be involved in the incident.

Legal Council – CEO at True Impact is part of the team when legal council is required for purposes of gathering forensic evidence that could be used to support legal action, assessing legal liability related to an incident and advising on communications related to the incident.

Application/Data Owners – individuals at True Impact with responsibility for an application or data that is impacted by an Incident

Incident Response Procedures 

  1. The individual who discovers a suspected incident is responsible for immediately reporting it to the Information Security Lead at the True Impact who can be reached at admin@truescan.co.

  2. The following information will be documented by the Information Security Lead

    1. The name of the individual reporting the incident. 

    2. Time reported.

    3. Contact information of the individual reporting the incident. 

    4. The nature of the incident. 

    5. A description of equipment/systems and/or persons involved.

    6. Location of equipment/systems or persons involved. 

    7. How the incident was detected. 

    8. When the event was first noticed that supported the idea that the incident occurred.

    9. Whether or not the incident involved a potential privacy breach. Where it does, a Privacy Breach Incident Report will also be completed.

  3. The Information Security Lead will promptly notify the Information Security Executive and Incident Management Response Team including any application/data owners affected by the incident.  In addition to the documented report, the Information Security Lead will share the following with the Incident Management Response Team:

    1. Whether or not affected equipment/systems are business critical.

    2. An assessment of the severity of the potential impact. 

    3. Name of system being targeted, along with operating system, IP address, and location. 

    4. IP address and any information about the origin of the attack.

  4. Members of the response team will meet or discuss the situation and determine a response strategy. They will document the answers to the following questions:

    1. Is the incident real or perceived? 

    2. Is the incident still in progress? 

    3. What data or property is threatened and how critical is it? 

    4. What is the impact on the business should the attack succeed? Minimal, serious, or critical? 

    5. What system or systems are targeted, where are they located physically and on the network? 

    6. Is the incident inside the trusted network?

    7. What category is the incident: Category one - A threat to public safety or life; Category two - A threat to secret, confidential or sensitive data; Category three - A threat to computer systems; or Category four - A disruption of services 

    8. Is the response urgent? 

    9. Can the incident be quickly contained? 

    10. Will the response alert the attacker and do we care? 

    11. What type of incident is this? Example: virus, worm, intrusion, abuse, damage. 

  5. Forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim will be used to determine how the incident was caused. 

  6. The Incident Management Response Team will promptly implement procedures to contain the incident, eradicate any threats related to the incident (such as removal of malware), and recover any systems/data impacted by the incident.  Recovery procedures may involve re-installing affected applications, restoring data from backups, requiring users to change passwords, disabling application functionality not required, ensuring applications are fully patched, ensuring virus protection/intrusion detection is in place, and enabling appropriate system logging.

  7. The Information Security Lead will ensure that all evidence collected is preserved including copies of logs, email, and other communication and list of witnesses. Evidence shall be retained for as long as needed (e.g., to support prosecution).

  8. Legal Counsel will ensure that regulators, police and other appropriate agencies are notified of the breach to ensure regulatory compliance and support prosecution.  Legal Counsel will also notify the Cybersecurity Insurance provider. 

  9. The Incident Management Response Team will assess damages and cost to the True Impact of the incident and will make recommendations on steps to be taken to reduce risk of a future incident.  Recommended changes will be implemented following Management Approval.  The assessment and recommendations should consider the following questions:

    1. Was the incident response appropriate? How could it be improved? 

    2. Was every appropriate party informed in a timely manner? 

    3. Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved? 

    4. Have sufficient changes been made to prevent a recurrence? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?

    5. Are additional policies and procedures required?

    6. Is additional training needed to increase compliance with policies and procedures?

bottom of page