Run: Information Security Incident Response Policy

This policy establishes a consistent process for identifying, escalating, containing, notifying, documenting, and reviewing information security incidents. The goal is to reduce harm, support timely decision-making, meet legal and contractual obligations, and preserve evidence for investigation and remediation.

This policy applies to all employees, contractors, temporary workers, interns, and third parties who access company systems, networks, devices, or data. It applies to incidents involving company-owned or personal devices used for business purposes, cloud services, email, messaging platforms, removable media, and paper records containing sensitive data. **Applicable jurisdictions:** This policy applies in the United States and must be interpreted together with any state breach-notification laws, sector-specific requirements, and any non-U.S. privacy or incident reporting obligations that apply to the company.

For purposes of this policy: - **Information Security Incident** means any suspected or confirmed event that may compromise confidentiality, integrity, or availability. - **Security Breach** means unauthorized access to or disclosure of protected information where notice may be required by law. - **Containment** means immediate steps to limit further damage or exposure. - **Escalation** means notifying the designated internal contacts based on severity and impact. - **Good-faith report** means a report made honestly and promptly based on the employee's reasonable belief that an incident may have occurred.

All personnel must promptly report suspected information security incidents as soon as they are discovered. Employees must not attempt to conceal, delete, or independently investigate an incident beyond basic containment steps authorized by IT Security or Legal. The company will assess each incident in good faith, determine severity, preserve evidence, and take appropriate containment and notification actions. Where employee data is involved, HR must coordinate with Legal and Compliance to determine whether employee notices, internal communications, or employment-related actions are required. The company will comply with mandatory cyber incident reporting requirements, applicable breach-notification laws, and contractual notification obligations. The company will also maintain accurate records of incident response actions and corrective measures.

### 1. Identify and report Employees must report any suspected incident immediately to the Service Desk, IT Security, or the designated incident hotline/email. Examples include phishing, malware, lost or stolen devices, unauthorized access, misdirected emails, accidental data sharing, suspicious account activity, and physical theft of records. ### 2. Initial escalation The receiving team must log the report, assign a severity level, and notify IT Security leadership, Legal, Compliance, and HR when employee data, employee accounts, or workplace systems are involved. ### 3. Containment IT Security may isolate devices, disable accounts, reset credentials, block traffic, quarantine files, or suspend integrations to prevent further exposure. Employees must cooperate with containment instructions and preserve affected devices, messages, and records. ### 4. Investigation and evidence preservation The incident response team will collect relevant logs, timestamps, screenshots, access records, and witness statements as needed. Evidence must be preserved in a manner that supports legal review and potential regulatory reporting. ### 5. Notification decision Legal and Compliance will determine whether notice is required to regulators, affected individuals, customers, business partners, insurers, or law enforcement. HR will support employee-facing communications when employee records or employee systems are affected. ### 6. Remediation and recovery The responsible teams will restore systems, rotate credentials, patch vulnerabilities, revoke access where needed, and implement safeguards to reduce recurrence. ### 7. Post-incident review After closure, the incident response team will complete a documented review covering root cause, timeline, impact, response effectiveness, policy gaps, and corrective actions. Action items must be assigned owners and due dates.

**All Employees** - Report suspected incidents immediately in good faith. - Follow containment instructions and preserve evidence. - Do not share incident details externally unless authorized. **Managers** - Escalate reports promptly and support employee cooperation. - Ensure non-exempt employees accurately record time spent on incident-related work. **IT Security** - Triage incidents, contain threats, preserve evidence, and coordinate technical recovery. - Maintain incident logs and technical documentation. **HR** - Coordinate employee communications, employee-data notifications, and workforce impacts. - Support disciplinary review when employee misconduct or policy violations are involved. **Legal / Compliance** - Determine legal notice obligations, regulatory reporting, privilege strategy, and retention requirements. - Review external communications before release. **Leadership** - Approve major response actions, resource allocation, and high-severity external notifications.

Failure to report an incident promptly, intentional concealment, unauthorized disclosure of incident information, or interference with containment may result in corrective action up to and including termination, subject to applicable law. **FLSA:** Non-exempt employees must record all time spent responding to incidents, including after-hours work, and managers must ensure overtime is approved and paid in accordance with the Fair Labor Standards Act. **EEOC / HR:** If an incident involves employee records or workplace communications, HR must coordinate to avoid discriminatory treatment and to ensure any employee-facing actions are consistent with Title VII and other equal employment obligations. **NLRA:** Nothing in this policy is intended to restrict protected concerted activity, including employees discussing wages, hours, or working conditions, except to the extent such activity would unlawfully disclose confidential security information or violate applicable law. **State-specific carve-outs:** - **California employees:** Follow any applicable California data breach, privacy, and employee notice requirements, including CCPA/CPRA obligations where applicable. - **New York employees:** Escalate potential whistleblower-related concerns in a manner consistent with NY Labor Law Section 740. - **Washington employees:** Coordinate leave or sick-time impacts in accordance with Washington paid sick leave rules where applicable. - **Illinois employees:** Ensure scheduling or on-call response expectations do not conflict with the One Day Rest in Seven Act where applicable.

This policy will be reviewed at least annually and after any material security incident, regulatory change, or major technology change. Revisions must be approved by HR, IT Security, Legal, and Compliance, with final approval by designated leadership. The policy holder is responsible for maintaining the current version, communicating updates, and ensuring acknowledgements are collected when required.