Incident response plan

Introduction


The Altus Group Incident Response plan (IRP) describes the methods and procedures in place for Altus Group to respond to incidents which could have a material impact in the operation of the business regardless of their classification and origin.

Reflecting prevalent security standards issued by the United States National Institute of Standards and Technology (NIST), and other industry sources, Altus Group has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets.



Scope


The IRP scope includes any incident that could have a material impact in Altus business and from any source, however specific consideration is given to the following. 

  • Major Service Incidents impacting the availability and performance of critical applications and services where extended periods of outage could damage the operational capability, reputation, ability to generate revenue and meet regulatory obligations. 

  • Cyber Security Incidents where the security of Altus group has been or threatens to be compromised as a consequence from external or internal threat actors and/or critical vulnerabilities that present a substantial risk of exploitation. 

  • Data Breach Events where data held by Altus has been misused, acquired without permission from an Altus system or process (potentially as a consequence of a Cyber Security Incident). 

  • Business Continuity Events where location specific incidents require operational recovery in the event physical events such as natural disasters, site evacuations, pandemics, and geopolitical events. 



Detection


The are several mechanisms by which an incident could be detected within the Altus Group.  

  • Automated alerting through internal monitoring – we operate 24x7 service monitoring using automated alerting technology designed to detect anomalies in service performance that could be indicative of a service incident or cyber security incident  

  • Automated alerting from third party security providers – Altus has engaged industry leading solution providers for cyber security, malware, and intrusion detection across all our environments.  

  • Internally reported – Any incident should be reported by any colleague through the internal IT Service Portal  

  • Externally reported through customer support – While we endeavour to detect incidents as quickly as possible before there is impact to our clients, we have escalation procedures in place within our externally facing support teams to enable them to escalate suspected incidents that our clients report to us 

  • Externally reported through via third party – While not technically considered an incident, Altus proactively engage in threat detection and monitoring with a number of agencies and sources to maintain a real time awareness of vulnerabilities or other security risks that could present a risk to the Altus Group  

  • Vendor / Supplier reported – In the event that one of our suppliers or vendors are impacted by an incident that threatens the service, stability or security of the Altus Group we will initiate incident response procedures that are commensurate with the potential impact.  



Reporting procedures  


All incidents are recorded in the Altus service / ticket management system and allocated a priority in accordance with their urgency and impact.  



Triage and prioritization  


All incidents are assessed and prioritized based in impact and assigned an Incident Priority Rating 



Crisis management  


If an ongoing Incident, regardless of its nature, is likely to have an ongoing and material impact on Altus group as measured against operational, reputational, regulatory, or legal obligation thresholds, the  

Incident Response Team will escalate to the Crisis Response Team (CRT) 



Planning and rehearsals  


As part of the Altus Group’s objective of continued improvement in Incident Response and ability to maintain a secure and stable environment, a comprehensive testing plan is reviewed and approved by the Executive on an annual basis with oversight provided by the Crisis Management Team. 



Post incident reviews & problem management  


Following any major incident, the IT Service & Operations (in conjunction with Information Security in the event of a Cyber Security event) conducts a Post Incident Review (PIR) 



Notifications 


When Altus determines that a confirmed security incident involving information processed by Altus has taken place, Altus will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory responsibilities. Information about malicious attempts or suspected incidents and incident history are not shared externally. 

Trust Center quick links
Access controlAssurance standardChange managementCorporate governanceCryptographic standardHR securityIncident response planMobile devices and laptopsNetwork securityPhysical and environmental securityRisk managementSecure development