Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

Security incident management at NT-ware

NT-ware has a comprehensive set of security measures in place to ensure we protect customer information and offer the most reliable and secure services we can. However, we also recognize that security incidents can still happen so it's just as important to have effective methods for handling them should they arise.

Our philosophy and approach

We consider a security incident to be any instance where there is an existing or impending negative impact to the confidentiality, integrity or availability of our customers' data, NT-ware data or NT-ware services. When we respond to security incidents, we continue to uphold our core values i.e.  focusing on putting the best processes in place so that we handle security incidents in a way that is always aligned with the best interests of our customers and ensures they continue to have an outstanding experience when using our products.

Within NT-ware, we have a defined approach for responding to security incidents affecting our services or infrastructure. Our incident response approach includes comprehensive logging and monitoring of our products and infrastructure to ensure we quickly detect potential incidents. Defined processes ensure there is clarity in what we need to do during an incident. This is managed by our IT and Operations team coordinating with relevant departments and internal subject matter specilists. We also have access to a range of external experts to assist us with investigating and responding as effectively as possible.

Incident response process

We've developed an incident response process which is robust and incorporates several features explained below.

Several avenues to detect potential incidents quickly

We have several monitoring mechanisms in place to detect failures or anomalies within the infrastructure that may be an indicator of a potential security incident. These systems alert us immediately if an activity is detected that requires further investigation. We have an aggregated log capture and analytics platform, which is monitored by the global NT-ware Operations team to ensure it is always available, to collate logs in a single location so our analysts can investigate quickly and thoroughly. In addition, we create alerts in our communication platform that notify our teams proactively.

An established framework for managing incidents quickly
To ensure our incident response process is consistent, repeatable and efficient, we have a clearly defined internal framework that covers the steps we need to take at each phase of the incident response process. We have documented playbooks that are continually updated which define in detail the steps we need to take to effectively respond to different incident types. At a high level, our response framework covers:

  • Incident detection and analysis - the steps we take following initial notifications we receive about a potential incident, including how we confirm whether a security incident has occurred (so that we minimize false positives), through to understanding the attack vectors, scope of compromise and the impact to NT-ware and its customers.

  • Incident severity categorization - once we understand what has happened through appropriate analysis, we use this information to determine the severity of the incident. We designate one of four severity levels to an incident:

    Severity Description
    A Critical incident with maximum impact
    B High incident with very high impact
    C Medium incident with significant impact
    D Minor incident with low impact

    We use a variety of indicators to determine the severity of an incident – these vary depending on the product involved but will include consideration of whether there is a total service outage (and the number of customers affected), whether core functionality is broken and whether there has been any data loss.

  • Containment, eradication and recovery - taking into consideration the incident severity, we then determine and implement the steps necessary to contain the incident, eradicate the underlying causes and start our recovery processes to ensure we return to business-as-usual as quickly as possible. Naturally, the steps taken in this phase will vary significantly depending on the nature of the incident. If it will benefit our customers, or as required by our legal or contractual obligations, NT-ware will also communicate with its customers about the incident and its potential impacts for them during this phase of the incident response process.

  • Notification - we aim to notify any customer without undue delay if their data is involved in a confirmed incident or a breach. This might be light on detail at first but we’ll provide every detail available as soon as it is available.

  • A robust post-incident review process - once every incident is resolved, we look at what lessons can be learnt from it which will inform the development of technical solutions, process improvements and the introduction of additional best practices so that we can continue to provide the best experience for our customers and make the chances of another malicious act’s even harder next time.

Clearly defined roles and responsibilities

Every incident we experience is managed by our Chief Information Security Officer (CISO) and security team members. The most appropriate person, depending on time zone and availability, takes the lead and typically makes security related decisions, oversees the response process and allocates tasks internally to facilitate our response process.

Access to external experts where required

Sometimes, we may need a helping hand from an external expert to assist us with investigating an incident. We retain the services of specialist cyber security consultants and forensic experts for instances where we may require further in-depth forensic analysis or forensic holds for e-discovery in support of litigation.

Tools used to manage security incidents

To aid in the support and management of security incidents we heavily utilize various software platforms, among other communication tools and systems, which include:

  • Confluence – we use Confluence to collaboratively create, document and update our incident response processes in a central location to ensure those processes are disseminated to all staff and can be quickly updated in response to lessons learnt based on past incidents. We also use Confluence to document our plays and hunts.
  • Jira Software – we use JIRA to create tickets for handling both the initial investigation of suspected incidents and to facilitate and track our response process if our initial investigations confirm an incident has taken place. These tickets help us to aggregate information regarding an incident, develop resolutions and perform other logistical work (such as delegating tasks as part of the response process and reaching out to other teams within the company where necessary).
  • Microsoft Teams - we have dedicated teams and channels that can come together quickly in Microsoft Teams to begin working on an incident. Our status and alerting system can trigger notifications directly into Team channels. All NT-ware Operations and DevOps members have both PC and mobile access to this platform, and we publish alternate communication paths internally in the case our primary system is unavailable.