Versions Compared

Version Old Version 8 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
title Does your organisation have a documented Incident Response Plan?

Does your organisation have a documented Incident Response Plan?

We adopt a 5-stage approach to handling any incidents:

  • Preparation

  • Detection

  • Triage and analysis

  • Containment and neutralisation

  • Post-incident learning

This includes recording of incidents in our Events, Incidents and Weaknesses Register.
We have documented Application Incident Response Procedures and a Business Continuity Plan.
Where an incident impacts on personal data, we also utilise a documented Data Breach Reporting Procedure.

We aim to fix any production issues within the following time span:

P1 - 4 hours

P2 - 24 hours

P3 - 48 hours

P4 - prioritised accordingly on backlog

More information: https://commonplace.atlassian.net/l/cp/BpNQjYy1

Expand
titleHow does your service report any outages?

How does your service report any outages?

Via email and where possible / relevant via a banner on the platform.

More information: https://commonplace.atlassian.net/l/cp/DPDdno0n

Customers can get in touch with Commonplace Support vie email or phone between the hours of 8.00am and 6.00pm Monday to Friday (excl UK public holidays) by emailing customers@commonplace.is. Outside of these hours, typing “urgent” in the subject line of your email will alert teams of a major issue outside of normal hours and so should only be used for platform or business critical issues.

We work to 99.90% uptime targets and consistently over-achieve this target.
Expand
Does your organisation offer technical support and incident response for its customers?
titleDoes your organisation offer technical support and incident response for its customers?

More information: https://commonplace.atlassian.net/l/cp/3VDbCHtp

Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?

Yes, a copy of our cyber and data insurance certificate is available on request from customers@commonplace.is.
Expand
title Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?

More information: https://commonplace.atlassian.net/l/cp/kc6eokqv

We log every data breach or suspected data breach. We track the date, severity and resolution.
Expand
Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?
titleDoes your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

  • To identify if a data breach has occurred

  • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

  • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

  • To identify the categories of data subject affected by the breach (clients, employees, etc)

  • To identify the number of data subjects likely to be affected by the breach

  • To identify the categories of data affected by the breach

  • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

  • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

  • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

We also have a guidance document as part of our Information Security Management System.

More information: https://commonplace.atlassian.net/l/cp/3w860NLJ

Expand
title Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?

Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

  • To identify if a data breach has occurred

  • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

  • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

  • To identify the categories of data subject affected by the breach (clients, employees, etc)

  • To identify the number of data subjects likely to be affected by the breach

  • To identify the categories of data affected by the breach

  • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

  • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

  • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

We also have a guidance document as part of our Information Security Management System.https://commonplace.atlassian.net/l/cp/HA42vqEX

Expand
title Does your organisation conduct a root cause analysis for all information security incidents that are reported?

Does your organisation conduct a root cause analysis for all information security incidents that are reported?

Yes. We adopt a 5-stage approach to handling any incidents:

  • Preparation

  • Detection

  • Triage and analysis

  • Containment and neutralisation

  • Post-incident learning (which includes root cause analysis)

https://commonplace.atlassian.net/l/cp/12mFdQM3

Expand
titleDoes your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?

Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?

Yes, a copy of the Business Continuity Plan is available upon request from customers@commonplace.ishttps://commonplace.atlassian.net/l/cp/ZJmw59S2