Virtus Group - Breach Response Procedure
v1.2 FINAL • Standardised 2025-09-04
Owner: Virtus Group Ltd • Audience: Clients, Reviewers & Operations • Classification: Public • Next Review: 2026-09-04
Executive Summary
This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.
Scope & Assumptions
- In scope: systems and processes directly managed by Virtus Group per contract.
- Out of scope: client-owned or third‑party systems not onboarded to our managed service.
- Dependencies: connectivity, power, and named client contacts for decision making.
Requirements (Key Controls)
- Availability: Ensuring information and systems are accessible when required. (VGL.Information.Security.And.Privacy.Framework.docx)
- Director – Provides governance and approves exceptions.Head of Security & Compliance – Owns this framework, ensures compliance, and conducts audits.IT Operations Manager – Implements security controls and manages operational risks.People & Culture – Ensures privacy and security in HR processes.Managers – Ensure compliance within their teams.All Staff – Must comply with the framework, complete training, and report incidents. (VGL.Information.Security.And.Privacy.Framework.docx)
- This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first. (VGL.Information.Security.And.Privacy.Framework.docx)
- Ensure privacy is considered in all activities (VGL.Privacy.Policy.docx)
- Ensure staff awareness (VGL.Privacy.Policy.docx)
- Disclosure is limited to authorised staff, contracted third parties, and regulators where required by law (VGL.Privacy.Policy.docx)
- PII is retained only as long as necessary for the identified purpose or as required by law. (VGL.Privacy.Policy.docx)
- PII may be transferred outside NZ where required for cloud services (Microsoft, AWS, other SaaS). (VGL.Privacy.Policy.docx)
- Privacy breaches must be reported immediately. (VGL.Privacy.Policy.docx)
- The Privacy Officer is responsible for investigation, notification to affected individuals, and regulatory reporting if required. (VGL.Privacy.Policy.docx)
- Exemptions must be approved by the Privacy Officer and the Director, tracked, and reviewed annually. (VGL.Privacy.Policy.docx)
- This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first (VGL.Privacy.Policy.docx)
- The following rules must be followed when making a protected disclosure: (VGL.Protected.Disclosures.docx)
- VIRTUS GROUP will ensure that all disclosures are treated confidentially, and all information gathered during the investigation will be protected. (VGL.Protected.Disclosures.docx)
- Any concerns or queries regarding this policy or any suspected breaches must be reported to the Chief Executive Officer as follows: (VGL.Acceptable.Usage.Policy.docx)
- All notifiable privacy breaches must be reported immediately to Virtus Group Ltd via compliance@virtusgroup.biz or 0800 847 887 (VIRTUS). (VGL.Acceptable.Usage.Policy.docx)
- Reports must be made as soon as possible after becoming aware of the breach. (VGL.Acceptable.Usage.Policy.docx)
- Any concerns or queries regarding this policy or any suspected breaches must be reported to the Chief Executive Officer as follows: (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Staff members must report any suspected issues or breaches of this policy to their line manager or the Chief Executive Officer. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Incident response procedures must be followed in case of breach (VGL.Cybersecurity.Policy.docx)
Procedures / Playbooks
| Trigger | Action | Owner |
|---|---|---|
| Suspected personal-data breach | Escalate to Privacy Officer; start incident log | Incident Commander |
| Confirmed breach with risk to individuals | Notify affected data subjects; consult regulator as required by law | Privacy Officer |
| Evidence handling | Preserve logs & records per Document & Record Control | Comms Lead / Forensics |
Roles & RACI
| Role | Responsibility |
|---|---|
| Incident Commander | Owns decisions, comms, and timeline |
| Core Infra Lead | Identity, directory, DNS/DHCP, virtualization |
| Network Lead | WAN/SD-WAN, firewalls, VPN |
| Apps/Data Lead | DB/app restores, file services, integrity |
| Comms/Privacy Officer | Stakeholder & regulatory notifications |
Baseline Targets
- Internal decision on notification ≤ 72 hours with Privacy Officer
- Evidence handling per Document & Record Control; chain‑of‑custody maintained
- Third‑party breach notice window: ≤ 48 hours (contractual)
KPIs & Reporting
- Breach triage ≤ 24h
- Notification decision ≤ 72h
- DSARs closed ≤ 20 working days
Thresholds & contacts (NZ‑centric)
- Privacy Act 2020 — serious harm test: If a breach is likely to cause serious harm, consult counsel and the Privacy Officer; consider notifying the Office of the Privacy Commissioner (OPC) and affected individuals.
- Cyber incidents: Engage CERT NZ for guidance and coordination where appropriate.
- Agency heads‑up: Provide an initial notification to the Agency contact within 24 hours, even if facts are preliminary; follow with updates (e.g., T+48h, T+72h).
Decision aid (record answers in the Breach Assessment form)
- What happened? (loss/theft/unauthorised access/malware/misdelivery)
- What data and how sensitive? Was it encrypted?
- Who accessed/exposed it, and for how long?
- Can we contain or recall it? (e.g., link recall, OAuth revoke, inbox rule purge)
- Potential impacts on individuals/Agency? (financial, safety, identity, trust)
- Regulatory/contract triggers (OPC, contractual notice windows)?
Outcome: Notify OPC/individuals / Notify Agency only / Monitor — record rationale, approvers, and timestamps.
Notification & Decision
Third‑party & SaaS (incl. Microsoft 365) micro‑runbook
- Containment: purge/ZAP malicious mail; disable/risk revoke OAuth consents; remove malicious inbox rules; quarantine compromised sessions; isolate affected endpoints via EDR.
- Identity: enforce password reset & MFA; check Conditional Access and break‑glass accounts; review recent sign‑ins and risky users.
- Data exposure: recall external links (SharePoint/OneDrive); tighten external sharing; review DLP hits; snapshot access logs.
- Backup/DR: verify immutability and identify clean restore points before any restore; record RTO/RPO.
- Vendors: invoke supplier notification (≤48h); request incident ticket/summary; align on joint notice language.
Third‑party / SaaS Micro‑Runbook
Safety gate: If any risk to health & safety is suspected (e.g., field/OT/visitor impact), pause technical actions that could worsen safety, and invoke PCBU procedures.
Follow the PCBU H&S Policy, log an H&S incident if applicable, and coordinate with the Agency’s safety contacts.
Safety Gate (PCBU/H&S)
Forensics & Evidence Handling
- Synchronise time sources; capture volatile data where needed; do not wipe affected assets before capture.
- Maintain chain‑of‑custody; record hashes; store artefacts in the designated evidence repository.
- Retain logs, tickets, approvals, meeting minutes, exports (e.g., KQL results) per the retention schedule; mark sensitive records.
- Document every action with actor, timestamp, and reason; attach screenshots where helpful.
Post‑incident review: complete within 10 business days for SEV1/SEV2; capture actions into the Service Improvement backlog with owners and due dates.
Appendix A — Communications Templates
Exercises & Aftercare
- Conduct at least one annual tabletop exercise and after any SEV1/SEV2 incident.
- Track corrective actions to closure; report progress in service reviews.
Appendix B — Forensics & Evidence
Communication Templates (snippets)
- Agency heads‑up (initial ≤24h): “We are investigating a suspected security incident discovered on <date/time>. Affected systems/data: <summary>. Containment actions: <summary>. Next update: <T+48h>. Contacts: Incident Commander & Privacy Officer.”
- OPC notice (if serious harm likely): facts known/unknown, categories of data, affected individuals, containment, remediation, contact for follow‑up.
- Individuals (if required): what happened, what we’re doing, recommended actions, support channels.
Customise per Agency contract; legal review as appropriate.
Exercises & Aftercare
Evidence & Records
Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.
© Virtus Group Ltd