Quicklend Logo
Last updated in 1 November 2024

SECURITY INCIDENT AND BREACH HANDLING

Purpose

This policy outlines procedures for identifying, reporting, managing, and mitigating security incidents and breaches to protect Quicklend’s data, systems, and stakeholders.

  • Scope

    This policy applies to:

    • All Quicklend employees, contractors, and third-party service providers.
    • All Quicklend systems, applications, networks, and data assets.
  • Definitions
    • Security Incident: Any event that may compromise the confidentiality, integrity, or availability of Quicklend’s information or systems, such as unauthorized access, malware, or phishing.
    • Data Breach: An incident where sensitive, protected, or confidential information is accessed, disclosed, or stolen without authorization.
  • Roles and Responsibilities
    • Incident Response Time (IRT):

      The IRT is responsible for managing security incidents and breaches. Members include representatives from:

      • IT Department Senior
      • Legal and Compliance
      • Risk Management
      • Leadership
    • Key Roles:
      • Incident Manager: Coordinates response efforts and serves as the primary point of contact.
      • IT Security Analyst: Identifies, investigates, and mitigates technical threats.
      • Compliance Officer: Ensures adherence to legal and regulatory requirements
  • Incident and Breach Handling Procedure
    • 4.1. Identification
      • Monitor systems for anomalies using security tools (e.g., intrusion detection systems).
      • Encourage employees to report suspicious activities immediately to the IT Helpdesk.
    • 4.2. Reporting
      • Report incidents or breaches within 24 hours of discovery to the Incident Manager.
      • Use the “Incident Reporting Form” for detailed information.
    • 4.3. Containment
      • Immediately isolate affected systems to prevent further damage.
      • Change access credentials and disable compromised accounts.
    • 4.4. Eradication
      • Identify and remove malicious code, unauthorized users, or vulnerabilities.
      • Apply patches, updates, or additional safeguards.
    • 4.5. Recovery
      • Restore affected systems and data from backups.
      • Conduct thorough testing to ensure systems are secure before resuming operations.
    • 4.6. Notification
      • Notify affected individuals, clients, or regulators as required by law (e.g., GDPR or local regulations).
      • Communications must be approved by Legal and Senior Leadership.
    • 4.7. Post-Incident Review
      • Conduct a detailed review within 5 business days of resolution.
      • Document lessons learned and update security controls and policies.
  • Notification Timeline
    StakeholderNotification DeadlineResponsible Party
    Senior ManagementWithin 24 hoursIncident Manager
    Affected CustomersWithin 72 hoursLegal & Compliance
    RegulatorsAs per regulationsCompliance Officer
  • Preventive Measures
    • Conduct regular security awareness training
    • Perform periodic security audits and penetration tests.
    • Maintain a robust patch management program.
  • Compliance and Enforcement

    Non-compliance with this policy may result in disciplinary action, up to and including termination. Contractors or third parties may face contract termination or legal actions.

Partner with us
Individuals and BusinessesReal EstateMutual Funds DistributorFor Chartered Accountants
CalculatorsLearning Centre