Versions Compared

Version Old Version 10 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
title Does your organisation have a documented Incident Response Plan?

Does your organisation have a documented Incident Response Plan?

We adopt a 5-stage approach to handling any incidents:

  • Preparation

  • Detection

  • Triage and analysis

  • Containment and neutralisation

  • Post-incident learning

This includes recording of incidents in our Events, Incidents and Weaknesses Register.
We have documented Application Incident Response Procedures and a Business Continuity Plan.
Where an incident impacts on personal data, we also utilise a documented Data Breach Reporting Procedure.

We aim to fix any production issues within the following time span:

P1 - 4 hours

P2 - 24 hours

P3 - 48 hours

P4 - prioritised accordingly on backlog

More information: https://commonplace.atlassian.net/l/cp/BpNQjYy1

Expand
titleHow does your service report any outages?

How does your service report any outages?

Via email and where possible / relevant via a banner on the platform.

More information: https://commonplace.atlassian.net/l/cp/DPDdno0n

Does your organisation offer technical support and incident response for its customers?

Customers can get in touch with Commonplace Support vie email or phone between the hours of 8.00am and 6.00pm Monday to Friday (excl UK public holidays) by emailing customers@commonplace.is. Outside of these hours, typing “urgent” in the subject line of your email will alert teams of a major issue outside of normal hours and so should only be used for platform or business critical issues.
Expand
titleDoes your organisation offer technical support and incident response for its customers?

We work to 99.90% uptime targets and consistently over-achieve this target.

More information: https://commonplace.atlassian.net/l/cp/3VDbCHtp

Expand
title Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?

Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?

Yes, a copy of our cyber and data insurance certificate is available on request from customers@commonplace.is.

More information: https://commonplace.atlassian.net/l/cp/kc6eokqv

We log every data breach or suspected data breach. We track the date, severity and resolution.

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

  • To identify if a data breach has occurred

    • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)
    Expand
    Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?
    titleDoes your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?

  • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

  • To identify the categories of data subject affected by the breach (clients, employees, etc)

  • To identify the number of data subjects likely to be affected by the breach

  • To identify the categories of data affected by the breach

  • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

  • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

  • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

    • We also have a guidance document as part of our Information Security Management System.

    More information: https://commonplace.atlassian.net/l/cp/3w860NLJ

    Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

  • To identify if a data breach has occurred

  • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

  • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

  • To identify the categories of data subject affected by the breach (clients, employees, etc)

  • To identify the number of data subjects likely to be affected by the breach

  • To identify the categories of data affected by the breach

  • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

  • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

    • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.
    Expand
    Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?
    title Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?

    We also have a guidance document as part of our Information Security Management System.

    More information: https://commonplace.atlassian.net/l/cp/HA42vqEX

    Does your organisation conduct a root cause analysis for all information security incidents that are reported?

    Yes. We adopt a 5-stage approach to handling any incidents:

  • Preparation

  • Detection

  • Triage and analysis

    • Containment and neutralisation
    Expand
    title Does your organisation conduct a root cause analysis for all information security incidents that are reported?

  • Post-incident learning (which includes root cause analysis)

    • More information: https://commonplace.atlassian.net/l/cp/12mFdQM3

    Expand
    titleDoes your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?

    Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?

    Yes, a copy of the Business Continuity Plan is available upon request from customers@commonplace.ishttps://commonplace.atlassian.net/l/cp/ZJmw59S2