The purpose of the Ransomware Policy (the "Policy") is to establish the goals and vision for the ransomware response process in compliance with SOC 2 and the Personal Information Protection and Electronic Documents Act ("PIPEDA"). This policy defines ransomware, the scope of application, staff roles and responsibilities, incident reporting and escalation procedures, standards and metrics to enable prioritization of the incidents, remediation measures, and communication protocols. It aims to protect the confidentiality, integrity, and availability of data and ensure a prompt and effective response to ransomware incidents. This policy will be made easily accessible to all personnel involved in data and security protection.
Voyages Encore Travel Inc. ("Encore") Information Security's intentions for publishing a Ransomware Policy are to focus significant attention on data security and data security attacks and how Encore’s established culture of openness, trust and integrity should respond to such activity. Encore's Information Security is committed to safeguarding its employees, partners, clients, consultants, contractors, and the company from illegal or damaging actions related to ransomware, aligning with SOC 2 and PIPEDA requirements.
This policy mandates that any individual who suspects a possible ransomware incident or observes unusual network behaviors must immediately report the incident to Encore's Service Desk. This is outlined further in Section 9.1.
IT Management will promptly investigate reported threats and exposures to confirm the occurrence or imminent risk of ransomware. If a ransomware incident is suspected, IT will follow the established Security Incident Response Plan and escalate as necessary, including activating the Business Continuity Plan ("BCP") and engaging the Emergency Response Team. This is outlined further in Section 9.2.
Employees must refrain from discussing any ransomware incident with journalists or external parties and should seek guidance from their Manager, the Steering Committee or the Human Resources Team ("HR").
This policy applies to all employees of Encore.
All Encore Employees are responsible for:
Reporting suspected ransomware attacks to Encore's Service Desk.
Being familiar with this policy, the Business Continuity Plan ("BCP") and the Disaster Recovery Plan ("DRP").
Understanding their role in the event of a ransomware attack.
Following the designated procedures.
Members of the Steering Committee are responsible for:
Actioning the relevant Immediate Key Action Items outlined in Section 3.1 of this policy.
Communicating to Encore Employees if the Ransomware Attack is confirmed, and any actions required by employees outside of what is outlined in this policy.
Deciding the final course of action for dealing with the bad actor.
The CTO and Director of IT are responsible for:
Actioning the relevant Immediate Key Action Items outlined in Section 3.1 of this policy.
The overall responsibility for this policy.
Providing strategic direction.
Allocating necessary IT resources needed by Encore.
Determining if additional personnel are required on the Incident Response Team ("IRT"), if necessary.
The Service Desk is responsible for:
Receive and process the ticket, escalate if necessary.
Actioning the relevant Immediate Key Action Items outlined in Section 3.1 of this policy.
Providing support in recovering and restoring technological operations.
Offering guidance regarding necessary equipment for the recovery process.
Ensuring the policy is maintained and remains aligned with regulatory requirements, industry best practices, Encore's risk tolerance and recovery objectives.
Ensuring and enforcing compliance with this policy.
Conducting periodic assessments, audits and reviews to verify adherence to the policy and address any identified non-compliance.
Ensuring communication to clients and vendors is drafted and submitted in a timely manner, if applicable.
Ensuring compliance with Incident Management, BCP and DRP processes.
The IRT is responsible for:
Conducting an analysis of the attack or exposure to identify the root cause, and suggesting next steps to the Steering Committee.
Responsible for handling the ransomware exposure.
The IRT consists of:
CEO
CTO
Director of IT
Cyber Security Analyst
Service Desk
Depending on the incident, the following members are included:
The affected unit or department utilizing the involved system or whose data or employee credentials may have been targeted or exposed;
Additional departments relevant to the data type involved; and
Additional individuals as determined necessary by the Director of IT.
The Marketing Department is responsible for:
Receiving drafted communications (both internal and external) and ensure that the messages follow Encore's brand and communication standards.
Collaborating with the Security Compliance Manager to ensure the protection of sensitive information.
Upon identifying a ransomware attack, immediate measures must be taken to revoke all access to affected resources or data.
Key action items that must be undertaken immediately following a suspected ransomware attack:
Securely isolating and locking down the network, including workstations.
Notifying the cyber security insurance provider.
Informing legal counsel.
Reporting the incident to the appropriate law enforcement agency, such as the Royal Canadian Mounted Police ("RCMP").
Refraining from automatically paying the ransom.
Deferring restoration from backup until the scope and nature of the attack are identified.
Attempting to disable the ransomware process, if feasible.
Retaining ransomware "key" files or text files on the servers/workstations for further assessment and identification of the ransomware type, facilitating potential decryption.
Exploring decryption options and available tools by visiting verified sources.
See https://id-ransomware.malwarehunterteam.com
Place the ransom .txt file or one of the encrypted files to see if there is already a tool available to decrypt the files.
Checking offline backups to ensure they are unaffected and accessible for restoration. If unaffected, restoring one server at a time from the secure offline backup while keeping each restored server/workstation offline until confirming the absence of any other ransomware.
As a last resort, considering payment for a decryption key from the ransomware authors, understanding the risks and acknowledging that payment does not guarantee a solution, as it can introduce additional complications or encourage further attacks. This is outlined further in Section 8.0.
Engaging a security provider specialized in handling ransomware attacks.
Initiating negotiation with the ransomware authors.
If client data is compromised, affected clients must be notified within 36 hours.
In the case of a data breach involving the theft of Private Personal Data within Canada, it must also be reported to the Privacy Commissioner of Canada in compliance with the PIPEDA. Companies must:
Report to the Privacy Commissioner of Canada any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals;
Notify affected individuals (clients) about these breaches; and
Maintain records of all breaches.
After identifying the root cause, corrective measures must be implemented within 30 to 90 days to mitigate future incidents.
As per Encore's cyber insurance coverage, access to forensic investigators and experts will be provided by the insurer to determine the breach or exposure cause, types of data involved, the number of affected individuals or organizations (internal and external), and analyze the incident to establish the root cause.
Encore's Human Resources Team and Marketing Team will collaborate to devise a communication strategy for disclosing the breach to:
Internal employees,
The public,
Clients, and
Individuals directly affected.
This is further outlined in the Disaster Recovery Plan Policy.
Any personnel found to be in violation of this policy may be subject to disciplinary action, including termination of employment for Encore employees. Third-party partner companies found in violation may have their network connection terminated.
While acknowledging that paying a ransom may, in certain circumstances, be the only viable option for data recovery, it is essential to carefully evaluate the risks and benefits associated with such a decision.
When considering the payment of a ransom, the following factors should be taken into account:
A thorough risk assessment must be conducted to assess the potential consequences of paying the ransom. This assessment includes an evaluation of the reliability and trustworthiness of the attackers, as well as the likelihood of receiving a valid decryption key and successfully recovering the encrypted data.
Encore must ensure that paying a ransom aligns with legal and regulatory obligations, including any laws or regulations that prohibit or restrict ransom payments. Additionally, compliance with reporting requirements, such as notifying law enforcement or regulatory authorities, is required.
The financial implications of paying a ransom must be carefully evaluated. This includes considering the cost-effectiveness of paying the ransom compared to the potential financial losses resulting from prolonged system downtime, data loss, reputational damage, and potential legal or regulatory penalties.
Paying a ransom can inadvertently encourage further ransomware attacks. Attackers may perceive a successful payment as a signal that their tactics are effective, leading to increased targeting of Encore or similar entities. This factor must be taken into consideration when deciding for or against paying the ransom.
As outlined in Section 3.1, exploring alternative options for data recovery must be a priority before considering ransom payment. This includes assessing the feasibility of restoring data from offline backups, utilizing available decryption tools, or engaging with specialized security providers to explore other potential solutions.
The decision to pay a ransom must be made in consultation with appropriate stakeholders, including legal counsel, the Steering Committee, IT Management, and relevant security professionals. Documentation of the decision-making process and rationale must be maintained for future reference and compliance purposes.
All personnel must be vigilant in identifying and promptly reporting any suspected or confirmed security incidents to the IT Help Desk. Examples of security incidents include, but are not limited to, unauthorized access attempts, system intrusions, data breaches, malware infections, and suspicious network activities. Incident identification mechanisms, such as security monitoring tools and employee reporting channels, have been implemented and maintained to facilitate timely detection.
Upon identification of a security incident, the IRT outlined in Section 2.1.6 must be immediately notified and and Incident Response must be activated. The team will promptly assess the incident, contain its impact, and initiate appropriate response actions. Incident response procedures must be well-documented, regularly tested, and updated to address evolving threats and vulnerabilities. The response must follow a coordinated approach, involving the Steering Committee, IT Management, Compliance, Human Resources, Marketing, and other relevant departments, to ensure efficient incident containment, evidence preservation, and mitigation of potential risks.
Encore maintains and follows a Privacy Policy, which further defines the following:
Encore recognizes the importance of protecting personal information in compliance with PIPEDA. Personal information refers to any information about an identifiable individual. All personal information collected, processed, stored, or transmitted by Encore must be handled in accordance with applicable privacy laws and regulations.
Personal information is collected, used, and disclosed only with the individual's knowledge and consent, except where permitted or required by law. The purpose for which personal information is collected is identified, and such information must not be used or disclosed for other purposes without obtaining additional consent, unless authorized or required by law.
Appropriate technical, physical, and administrative safeguards have been implemented to protect personal information against unauthorized access, disclosure, alteration, or destruction. Security measures include, but are not limited to, access controls, encryption, regular vulnerability assessments, system monitoring, incident response plans, and employee awareness and training.
Personal information is shared with third-party service providers or partners only after appropriate contractual arrangements are put in place to ensure compliance with privacy and security obligations. Due diligence is conducted to assess the third party's privacy practices and security measures before sharing personal information.
All employees receive annual security training to ensure their understanding of security risks, privacy obligations, and their roles and responsibilities in safeguarding sensitive information. Training programs cover topics such as identifying and reporting security incidents, handling personal information, phishing awareness, password management, secure remote work practices, and compliance with relevant policies and regulations.
Employees with incident response roles or responsibilities receive specialized training to ensure their readiness to effectively respond to security incidents. This training includes incident identification, containment, evidence handling, communication protocols, and legal and regulatory requirements for incident reporting.
Encore promotes a culture of continuous learning and awareness by providing regular updates, newsletters, and educational resources on security and privacy best practices. Employees are encouraged to stay informed about emerging threats, industry trends, and updates to security and privacy policies.
Employees acknowledge their understanding of security and privacy policies and their commitment to comply with applicable regulations and internal controls. Annual Policy Attestation is in place to ensure ongoing compliance and accountability.
Regular assessments and evaluations of employee training effectiveness are conducted to identify areas for improvement and ensure the continuous enhancement of the organization's security and privacy posture.
“Business Continuity Planning” (BCP) - means planning for keeping business operations running, perhaps in another location or using alternative tools and processes following a disruption.
“Employee” – means all salaried and hourly paid Employees including the Steering Committee, Contractors, Consultants, Temporaries, Interns, Agents and other workers at Voyages Encore Travel Inc., including all personnel affiliated with third parties. Can be referred to by the pronoun ‘their’, ‘they’ or ‘them’.
"Encore" – for the purpose of this policy, refers to Voyages Encore Travel Inc. and Encore Travel Americas.
“Encryption” – means the process of converting information or data into a code, especially to prevent unauthorized access. It is the most effective way to achieve data security is through encryption of data. To read an encrypted file, the user must have access to a secret key or password that enables the decryption. Unencrypted data is called plain text.
“Hacker” – means a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
“Human Resources (HR) Team” – for the purposes of this policy, means the HR Coordinator and the Head of Human Resources.
“Information Resource” – means the data and information assets of an organization, department, or unit.
“IT Department” (IT) – for the purposes of this Policy, means the Head of Data, Security and Technology; and Manager of IT Security and Infrastructure.
“Personal Health Information” (PHI) – means identifying information about an individual if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual's family.
“Personally Identifiable Information” (PII) – means information that, when used alone or with other relevant data, can identify an individual.
"Protected data" – see PII and PHI
“Plain Text” – means unencrypted data.
“Safeguards” – means countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
“Sensitive Data” – means data that is encrypted or in plain text and contains PII or PHI data. See PII and PHI above.
“Steering Committee” – means the Chief Executive Officer; Chief Technology Officer; Head of Data, Security and Technology; Head of Human Resources; Head of Product; Head of Commercial Strategy; Head of Operations and Technology; and Financial Controller.
“Their”, “They” or “Them” – means the person or entity previously referred to.
All rights reserved to Voyages Encore Travel Inc. | Confidential Document | Agency purposes ONLY