Security Incident & Privacy Breach Response Procedure

Purpose

This procedure defines how Virtus Group identifies, assesses, contains, communicates, and learns from security incidents and privacy breaches, including how customer notification is managed when customer data or services may be impacted.

Scope

• Applies to all Virtus Group staff, contractors, and associates involved in delivery or support.
• Covers incidents affecting Virtus Group systems, customer environments administered by Virtus Group, and any situation where customer data, confidentiality, or service integrity may be impacted.

Key definitions

• Security incident: Any actual or suspected event that threatens confidentiality, integrity, or availability of systems, services, or information.
• Privacy breach: A security incident involving personal information (e.g., unauthorised access, disclosure, loss, or exfiltration).
• Customer data: Any information owned by or provided by a customer, including confidential information and personal information.

Principles

• Safety first: Prioritise safety and prevent further harm.
• Contain quickly: Reduce blast radius while preserving evidence.
• Evidence-first: Maintain an audit trail and support forensics where needed.
• Transparent communication: Notify impacted customers promptly and provide factual, staged updates.
• Least disclosure: Share only what is necessary, and protect customer and third‑party confidentiality.

Roles and responsibilities

• Incident Manager (IM): Coordinates triage, containment, and recovery; maintains timeline and decision log.
• Security Lead: Leads technical investigation, containment strategy, and control effectiveness review.
• Privacy Lead (where applicable): Assesses privacy impact and supports any notifiable privacy breach process.
• Customer Contact (Agency Lead): Receives notifications and coordinates customer-side actions and communications.

Customer notification obligations

Virtus Group notifies the impacted customer when there is reasonable suspicion or confirmation that:

• unauthorised access, compromise, or exfiltration of customer data may have occurred,
• customer confidentiality may be breached,
• or any other incident has occurred that threatens the security or integrity of services used by the customer.

Notification timeframes

• Initial notification: As soon as practicable after identification and initial triage, and no later than the agreed contractual timeframe (default target: within 24 hours for customer-impacting incidents).
• Update cadence: Regular updates are provided as new facts are confirmed (e.g., containment status, scope, customer actions required).
• Final report: A written incident summary is provided, including root cause, impact, corrective actions, and preventative measures.

Communication channels

• Primary: Email to the customer’s nominated security/incident contacts (or service desk channel as agreed).
• Urgent escalation: Phone call to the nominated on‑call/incident contact for high-severity events, followed by written confirmation.
• Evidence exchange: Customer-approved secure channel (e.g., customer SharePoint/portal) for logs, timelines, and artefacts.

Response lifecycle

1. Detect & triage: Identify indicators, classify severity, confirm affected assets, and open an incident record.
2. Contain: Isolate affected accounts/systems, block malicious activity, and preserve evidence.
3. Eradicate: Remove persistence, remediate misconfigurations/vulnerabilities, rotate credentials, and apply patches/controls.
4. Recover: Restore services and data as needed, validate integrity, and monitor for recurrence.
5. Communicate: Notify impacted customers per the obligations above; provide actions required and progress updates.
6. Lessons learned: Conduct post‑incident review, capture improvement actions, and update runbooks/controls.

Privacy breach handling

• Where personal information may be involved, Virtus Group assesses whether a notifiable privacy breach threshold may be met and supports customer-led notification steps where required.
• Virtus Group provides the customer with facts, timelines, and recommended mitigations to support any statutory or policy notifications.

Records and evidence

• Incident ticket/record ID; severity classification; affected systems; scope statement.
• Timeline of events; decision log; containment and remediation actions.
• Relevant logs/alerts, screenshots, and restore evidence (as applicable).
• Customer communications record (who/when/what was notified).

Subcontractors and third parties

• Where third parties are involved, Virtus Group coordinates response actions via agreed points of contact and ensures incident notification obligations flow down to subcontractors/vendors.
• Customer notification remains the responsibility of Virtus Group where Virtus Group is the engaged supplier for the impacted service.

Testing and review

• Table‑top exercises are conducted periodically; outcomes are recorded and feed a service improvement backlog.
• This procedure is reviewed at least annually, or after a significant incident.

Appendix: initial customer notification template (example)

Subject: Security incident notification — [Customer] — [Date/Time]

• Summary: What we know so far (facts only).
• Customer impact: Affected services/data (known or suspected).
• Actions taken: Containment and immediate mitigations performed.
• Actions required: Steps the customer should take now (if any).
• Next update: When and how the next update will be provided.
• Contact: Incident Manager name and on‑call contact method.