Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

Security incident management at NT-ware

NT-ware has a comprehensive set of security measures in place to ensure we protect customer information and offer the most reliable and secure services we can. However, we also recognize that security incidents can still happen so it's just as important to have effective methods for handling them should they arise.

Incident response process

We've developed an incident response process which is robust and incorporates several features explained below.

Several avenues to detect potential incidents quickly

We have several monitoring mechanisms in place to detect failures or anomalies within the infrastructure that may be an indicator of a potential security incident. These systems alert us immediately if an activity is detected that requires further investigation. We have an aggregated log capture and analytics platform, which is monitored by the global NT-ware Operations team to ensure it is always available, to collate logs in a single location so our analysts can investigate quickly and thoroughly. In addition, we create alerts in our communication platform that notify our teams proactively.

An established framework for managing incidents quickly
To ensure our incident response process is consistent, repeatable and efficient, we have a clearly defined internal framework that covers the steps we need to take at each phase of the incident response process. We have documented playbooks that are continually updated which define in detail the steps we need to take to effectively respond to different incident types. At a high level, our response framework covers:

  • Incident detection and analysis - the steps we take following initial notifications we receive about a potential incident, including how we confirm whether a security incident has occurred (so that we minimize false positives), through to understanding the attack vectors, scope of compromise and the impact to NT-ware and its customers.

  • Incident severity categorization - once we understand what has happened through appropriate analysis, we use this information to determine the severity of the incident. We designate one of four severity levels to an incident:

    Severity Description
    A Critical incident with maximum impact
    B High incident with very high impact
    C Medium incident with significant impact
    D Minor incident with low impact

    We use a variety of indicators to determine the severity of an incident – these vary depending on the product involved but will include consideration of whether there is a total service outage (and the number of customers affected), whether core functionality is broken and whether there has been any data loss.

  • Containment, eradication and recovery - taking into consideration the incident severity, we then determine and implement the steps necessary to contain the incident, eradicate the underlying causes and start our recovery processes to ensure we return to business-as-usual as quickly as possible. Naturally, the steps taken in this phase will vary significantly depending on the nature of the incident. If it will benefit our customers, or as required by our legal or contractual obligations, NT-ware will also communicate with its customers about the incident and its potential impacts for them during this phase of the incident response process.

  • Notification - In the event of an incident, we follow precise notification procedures; including procedures aimed to ensure our customers are notified without undue delay if their data is involved in a confirmed incident or a breach which may result in a high risk for individuals. The timing of this communication begins from the confirmation and verification of an incident by NT-ware. Notifications will include the description, impact, nature and consequences of the breach, relevant contact details from whom more information can be obtained; and a description of the measures taken or proposed to be taken to mitigate possible adverse effects.

    While it is plausible that initial communication might not yet have all the facts we will ensure that all communications have next steps and timelines for subsequent communication.

    Communication from NT-ware will be in email from an @nt-ware.com or from our exclusive Canon distributor in the affected region. We will publish and link to incidents on our public NT-ware Support - Confluence page for verification and validation.

    Should a customer become aware of an issue or incident that could impact NT-ware cloud services, the customer is responsible to promptly report this via established support channels.

  • A robust post-incident review process - once every incident is resolved, we look at what lessons can be learnt from it which will inform the development of technical solutions, process improvements and the introduction of additional best practices so that we can continue to provide the best experience for our customers and make the chances of another malicious act’s even harder next time.

Clearly defined roles and responsibilities

Every incident we experience is managed by our Chief Information Security Officer (CISO) and security team members. The most appropriate person, depending on time zone and availability, takes the lead and typically makes security related decisions, oversees the response process and allocates tasks internally to facilitate our response process.

Access to external experts where required

Sometimes, we may need a helping hand from an external expert to assist us with investigating an incident. We retain the services of specialist cyber security consultants and forensic experts for instances where we may require further in-depth forensic analysis or forensic holds for e-discovery in support of litigation.

Tools used to manage security incidents

To aid in the support and management of security incidents we heavily utilize various software platforms, among other communication tools and systems, which include:

  • Confluence – we use Confluence to collaboratively create, document and update our incident response processes in a central location to ensure those processes are disseminated to all staff and can be quickly updated in response to lessons learnt based on past incidents. We also use Confluence to document our plays and hunts.
  • Jira Software – we use JIRA to create tickets for handling both the initial investigation of suspected incidents and to facilitate and track our response process if our initial investigations confirm an incident has taken place. These tickets help us to aggregate information regarding an incident, develop resolutions and perform other logistical work (such as delegating tasks as part of the response process and reaching out to other teams within the company where necessary).
  • Microsoft Teams - we have dedicated teams and channels that can come together quickly in Microsoft Teams to begin working on an incident. Our status and alerting system can trigger notifications directly into Team channels. All NT-ware Operations and DevOps members have both PC and mobile access to this platform, and we publish alternate communication paths internally in the case our primary system is unavailable.

 

NT-ware security advisories, products and services

Regardless of the incident type, communication is critical. This needs to be clear, accessible and validated at all times. As part of our incident management process, NT-ware will raise a ‘Security Advisory,’ which will be used for all public incident disclosure. The email communication you receive from NT-ware regarding an incident should include a link to the respective security advisory.

NT-ware Security Advisories, Products and Services

back