Incident i20140628.1
- Incident Number: i20140628.1
- Status: execution
- Incident Manager: Benedikt Heintel
- Date of incident opened: 2014-06-28
- Date of incident closed: 201Y-MM-DD
- Incident title: Data Privacy breach
History Log
- 2014-07-05: Incident i20140628.1 created
2014-07-05: Incident documentation private part
- 2014-07-05: Board informed about incident and asked for approval (until 2014-07-19) and execution (until 2014-08-02)
- 2014-07-10: Updated finding with link to Privacy Policy
- 2014-07-13: Board approved the Incident and the proposed preventive actions
1. Incident Response Team
- Internal Auditor
2. Incident Description
The internal Auditor got aware of a look-up of a community member's data by critical system admins without prior order of an arbitrator.
3. Containment Actions
No action was done to contain the incident, there is no current danger of expansion in this case.
4. Root Causes
The related arbitration case a20140422.1 is under seal, further information are kept in private until seal lifted.
5. Permanent Corrective Actions
Since no data was changed (only viewed), no corrective action apply.
6. Verify Corrective Actions
N/A
7. Preventive Actions
The internal Auditor recommends the following preventive actions:
- Train the Critical System Administrator team in data protection
- Oblige core team members (auditable) on data privacy
- Add a data privacy test to CATS with privacy related questions and make the repetition of the test mandatory after two years for all core team members
Board decided to install following preventive actions:
moves 1) that board takes steps to ensure that each CAcert team member of Support, SE, Arbitration, Infrastructure honours CAcert's Privacy Policy and prove the understanding of named policy by repeating a PP CATS Test yearly, 2) the change has to be retained in accordant policies via Arbitration and Policy group, and 3) the required CATS test is prepared under the responsibility of the Education Team
8. Approval & Closure
Approved |
2014-07-13 in m20140713.1 |
Date closed |
|