Incident Management Policy
Purpose
This policy defines how OMNI GAME LABS PTE. LTD. detects, responds to, manages, and recovers from security incidents and potential data breaches. It ensures compliance with the Personal Data Protection Act 2012 (PDPA) (including mandatory notification obligations), protects personal data and business operations, and supports continuous improvement. The policy follows simplified guidance from NIST SP 800-61r3 (Incident Response Recommendations for Cybersecurity Risk Management) and PDPC's Guide on Managing and Notifying Data Breaches.
Scope
Applies to all employees, contractors, temporary staff, and any systems or data under company control (including any limited U.S. user data accessed under contracts).
Incident — Any event that may compromise the confidentiality, integrity, or availability of information (e.g., unauthorized access, malware, phishing compromise, data leak, system outage, lost device).
Data Breach — An incident involving unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data.
All Staff / Contractors — Report suspected incidents immediately (within 1 hour) to the DPO via email/phone/Slack/etc.
Data Protection Officer (DPO) / Incident Coordinator — [zack.hammer/Operations Lead]
Email: [admin@igrush.com]
Leads response, assesses notifiability, coordinates notifications, maintains logs, conducts post-incident review.
Management — Approves major actions , reviews high-severity incidents.
IT/Technical Lead — Handles technical containment and recovery.
Preparation
Basic annual training for all staff (PDPA basics, phishing recognition, reporting).
Maintain emergency contacts (DPO, management, cloud provider support, external IT help if used).
Test backups quarterly.
Enable simple monitoring (e.g., email/cloud alerts, antivirus notifications).
Detection & Reporting
Sources: Alerts, staff reports, logs, customer complaints, unusual activity.
Report to DPO immediately upon suspicion.
DPO starts triage within 2 hours of report.
Analysis & Classification
DPO assesses quickly:
Confirm incident occurred?
Involves personal data?
Meets PDPA notifiable criteria? (Likely significant harm to individuals OR affects >500 individuals / special categories of data).
Severity levels: Low / Medium / High / Critical (based on data sensitivity, scope, potential harm, U.S. data involvement).
Assessment completed expeditiously (target: 24–72 hours; max ~30 days per PDPC guidance).
Containment, Eradication & Recovery
Short-term containment — Isolate affected accounts/systems (e.g., disable login, disconnect network, change passwords).
Eradication — Remove threat (e.g., delete malware, patch vulnerabilities, reset credentials).
Recovery — Restore from clean backups, monitor for recurrence, resume normal operations gradually.
Document each step (who, what, when, outcome).
Notification
Internal — Escalate to management and relevant staff immediately.
PDPC — If notifiable, notify via PDPC online portal within 3 calendar days after assessment completion. Include: description, date discovered, data types, actions taken, remediation plan.
Affected Individuals — Notify (same time or after PDPC) if significant harm likely (e.g., identity theft risk). Use email/SMS/letter; include what happened, data affected, mitigation steps (e.g., change passwords).
Contractual Partners (e.g., TikTok USDS) — Report any potential U.S. user data impact per contract SLA (usually 24–72 hours).
Other — Police if criminal activity suspected.
Post-Incident Review
Root cause analysis (simple 5-Whys or timeline).
Document lessons learned and improvements (e.g., add MFA, update training).
Update policy/tools/controls as needed.
High-severity incidents reviewed by management.
Documentation & Incident Log
Maintain a simple log (Google Sheet / Excel) for all incidents,Retain logs for at least 12 months.
Annual policy review (or after major incident).
Conduct simple tabletop exercise yearly (e.g., simulate phishing breach).
This policy supports rapid, compliant response while remaining lightweight for a small team. For TikTok USDS or similar reviews, emphasize quick PDPC/contractual notifications and no unnecessary data retention.