Security & Compliance Policy

Incident Response Policy

HIPAA + CIS v8Dunder Mifflin

Control mapping: HIPAA §164.308(a)(6); CIS Control 17 (Incident Response)

Detecting, reporting, and responding to security incidents and breaches.

Purpose

This policy establishes how Dunder Mifflin detects, reports, responds to, and recovers from security incidents, including suspected breaches of ePHI.

Policy

  • A documented incident-response plan defines roles, severity levels, and escalation paths, and is reviewed at least annually.
  • All workforce members must report suspected security incidents immediately through the designated channel.
  • Incidents are triaged, contained, eradicated, and recovered following the response plan, with all actions documented.
  • Suspected breaches of unsecured ePHI are assessed for notification obligations under the HIPAA Breach Notification Rule; required notifications to individuals, HHS, and others are made within mandated timeframes.
  • A post-incident review captures root cause and lessons learned, and improvements are tracked to completion.

Reporting

Security incidents should be reported to the Security Official and to Methodology IT's service desk without delay. Early reporting limits harm and is never penalized.

Enforcement & Exceptions

Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.

Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.