INFORMATION SECURITY INCIDENT POLICY – last reviewed June 2026, due for review June 2027

1 Purpose
This document defines an Information Security Incident and the procedure to report an incident. Louth Town Council believes all incidents are preventable, and this policy is in place to prevent and minimise the risk of damage to the integrity and security of Council data and information, and outlines how the Council will assist in the recovery process.

2 Scope
2.1 This document applies to all Councillors, Committees, Working Groups, Department. Partners, Employees of the Council, contractual third parties and agents of the Council who have access to Information Systems or information used for Louth Town Council purposes.

2.2 It is also the responsibility of all parties identified within the above to ensure that all policies and procedures dealing with the integrity and security of information and data are followed.

3 Definition
3.1 An information security incident occurs when data or information is transferred or is at risk of being transferred to somebody who is not entitled to receive it, or data is at risk from corruption. An information security incident is any event that threatens or compromises the confidentiality (where an unauthorised individual may gain access to sensitive or private data), integrity (where unauthorised modification, deletion or destruction of information occurs) or availability (disruptions that prevent authorised users from accessing critical systems or data occurs) of an organisations information or computer systems. These events can be intentional (e.g. a cyber attack) or accidental (e.g. human error) and can include near misses (any fact or event that has happened, or may have happened, but no compromise occurs) and suspected incidents (a situation where initial information is sparse and perhaps uncertain as to whether an actual incident has taken place, but a compromise of confidentiality, integrity and/or availability is suspected).

3.2 A Security Incident differs from an event. An event is any observable occurrence in
a system which only becomes an incident when that event threatens business operations or breaches security policy.

4 An Information Security Incident includes:
• The loss or theft of data or information
• The transfer of data or information to those who are not entitled to receive that information
• Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system
• Changes to information or data or system hardware, firmware, or software characteristics without the council’s knowledge, instruction, or consent
• Unwanted disruption or denial of service to a system
• The unauthorised use of a system for the processing or storage of data by any person.

5 When to report
5.1 All events that result in the actual or potential loss of data, breaches of confidentiality, unauthorised access or changes to systems should be reported as soon as they happen.

6 Action on becoming aware of the incident
6.1 Follow the information security procedure, according to the type of incident.

 

7 How to report
7.1 The Data Control Officer (the Town Clerk) must be contacted by email or in writing using the prescribed form. They will log the incident and forward it on to the relevant departments.

7.2 The Data Control Officer will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied:
• Contact name and number of person reporting the incident
• The type of data or information involved
• Whether the loss of the data puts any person or other data at risk
• Location of the incident
• Inventory numbers of any equipment affected
• Date and time the security incident occurred
• Location of data or equipment affected
• Type and circumstances of the incident.

7.3 Your line manager must also be informed to enable them to investigate and confirm that the details represent a valid security incident as defined above. The outcomes of these actions are to be reported to the Data Control Officer for inclusion in the incident details for investigation.

8 What to Report
8.1 All Information Security Incidents must be reported.

9 Examples of Information Security / Misuse Incident Protocols
9.1 Information Security Incidents are not limited to this list, which contains examples of some of the most common incidents.

9.2 Malicious Incident
• Computer infected by a Virus or other malware, (for example spyware or adware)
• An unauthorised person changing data
• Receiving and forwarding chain letters – Including virus warnings, scam warnings and other emails which encourage the recipient to forward onto others.
• Social engineering – Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party).
• Unauthorised disclosure of information electronically, in paper form or verbally.
• Falsification of records, Inappropriate destruction of records
• Denial of Service, for example an attack resulting in the website being taken offline.
• Damage or interruption to Louth Town Council equipment or services caused deliberately e.g. computer vandalism
• Connecting non-council equipment to the council network
• Unauthorised Information access or use
• Giving information to someone who should not have access to it – verbally, in writing or electronically
• Printing or copying confidential information and not storing it correctly or confidentially.

9.3 Access Violation
• Disclosure of logins to unauthorised people
• Disclosure of passwords to unauthorised people e.g. writing down your password and leaving it on display
• Accessing systems using someone else’s authorisation e.g. someone else’s user id and password
• Inappropriately sharing security devices such as access tokens
• Other compromise of user identity e.g. access to network or specific system by unauthorised person
• Allowing Unauthorised Physical access to secure premises e.g. server room, scanning facility, dept area.

9.4 Environmental
• Loss of integrity of the data within systems and transferred between systems
• Damage caused by natural disasters e.g. fire, burst pipes, lighting etc
• Deterioration of paper records
• Deterioration of backup tapes
• Introduction of unauthorised or untested software
• Information leakage due to software errors.

9.5 Inappropriate use
• Accessing inappropriate material on the internet
• Sending inappropriate emails
• Personal use of services and equipment in work time
• Using unlicensed Software
• Misuse of facilities, e.g. phoning premium line numbers.

9.6 Theft / loss Incident
• Theft / loss of data – written or electronically held
• Theft / loss of any Louth Town Council equipment including computers, monitors, mobile phones, Memory sticks, CDs or external hardrives.

9.7 Accidental Incident
• Sending an email containing sensitive information to ‘all staff’ by mistake
• Receiving unsolicited mail of an offensive nature, e.g. containing pornographic, obscene, racist, sexist, grossly offensive or violent material
• Receiving unsolicited mail which requires you to enter personal data.

9.8 Miskeying
• Receiving unauthorised information
• Sending information to wrong recipient.

10 Containment and Recovery
10.1 The Data Control Officer will first determine if the breach is still occurring. If so, together with a member from the Council’s chosen IT support company (forming the Response Team), the appropriate steps will be taken immediately to minimise the breach.

10.2 The role of the Council’s chosen IT support company is to provide technical support and advice where required. Responsibility for determining whether a breach is reportable, making notifications to the ICO, affected individuals, insurers or other third parties, and approving any formal response would remain with the Council.

10.3 The initial assessment will be made by the Response Team to establish the severity of the breach and whether there is anything that can be done to recover any losses and limit the damage of the breach. That group will also establish who may need to be notified as part of the initial containment and will inform the Chairman of the Council and, where appropriate, the police.

11 Investigation and Risk Assessment
11.1 An investigation will be undertaken as soon as reasonably possible, but, generally, within 24hrs of the breach being discovered or reported.

11.2 The investigation will focus on the cause of the breach, the risks associated with it, and will consider:
• The type of personal data involved
• Its sensitivity
• The protections in place (e.g. encryptions)
• What happened to the data, whether it has been lost or stolen
• Whether the data can be put into any illegal or inappropriate use
• The affected individuals, and the potential adverse consequences to them (including how serious/substantial these consequences could be and the likelihood of occurrence)
• Whether there are wider consequences to the breach
• Other relevant considerations

12 Notification
12.1 The Response Team will determine who needs to be notified about the breach. Every incident will be assessed in regard to notification on a case-by-case basis, including consideration of the following:

• Are there any legal/contractual notification requirements.
• Will notification assist the individuals affected, can they take actions in relation to the information to mitigate risks
• Will notification help prevent the unauthorised or unlawful use of personal data
• Will notification help the Town Council to meet its obligations under data protection law
• If many individuals are affected or the consequences are very serious, does the ICO need to be notified

12.2 If the Response Team discovers a personal data security breach that poses a risk to the rights and freedoms of an individual, it will report it to the ICO within 72hrs of discovery.

12.3 Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. To the extent feasible, specific and clear advice will be given on what they can do to protect themselves, including what actions have already been taken to mitigate the risks. Individuals will also be provided with the contact details to allow them to contact Louth Town Council for further information or to ask the questions on what has occurred.

12.4 The Response Team must also consider notifying third parties such as the police, insurers, banks, etc. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future. The Response Team must also consider whether it is appropriate to issue communications to other interested parties.

12.5 All actions will be recorded by the Town Clerk.

13 Evaluation and Response
13.1 Once the initial incident is contained, the Response Team will carry out a full review of the causes of the breach, the effectiveness of the response and whether an changes to systems, policies or procedures are required.

13.2 Existing controls will be reviewed to determine their adequacy and whether any corrective actions should be taken to minimise the risks of similar incidents occurring.

The review will consider:
• Where and how personal data is held, stored and secured
• Where the biggest risks lie, including any further potential weak points within the existing systems or data protection framework
• Whether methods of transmission are secure and compliant with the principle of data minimisation (only sharing the minimum amount of data necessary)
• Identifying weak points within existing security measures
• Staff awareness and training
• Implementing a personal data breach plan and identifying individuals or functions responsible for reacting to reported breaches of security

13.3 Any report recommending changes to systems, policies and procedures relating to personal data protection will be considered and approved, as appropriate, by the Council.

14 Escalation
14.1 Serious incidents will be escalated via the national WARP scheme if determined to be of national value.