This Incident Response Plan exists to ensure that we consistently handle information security events in an effective and efficient manner.
Scope #
This policy offers guidance for employees, contractors, and consultants of Nested Knowledge who believe they have discovered or are responding to a security incident.
Affected Systems #
This policy applies to all computer and communication systems owned or operated by Nested Knowledge and its subsidiaries. Systems include company shared drives, software applications, as well the Nested Knowledge application itself.
Incidence Response Plan #
The incident response (IR) team will consist of the following personnel:
- Karl Holub, CTO, lead.
- Kevin Kallmes, CEO; investigator
- Kathryn Cowie, COO; investigator
- Other incident responders may be assigned as needed.
Risk Register #
The Nested Knowledge Incidence Response Team will maintain a list of security threats and vulnerabilities, classified by likelihood and consequence.
| Asset | Threat/Vulnerability | Existing Controls | Likelihood | Consequence | Level of Risk |
|---|---|---|---|---|---|
| Work Devices | Malicious applications/ processes Unprotected data | Mobile device management software. Malware/anti-virus protection on employee devices. Security training | Possible | Major | High |
| Cloud Applications | Theft or leakage of sensitive information | Cloud Security Policy | Possible | Major | High |
| NK Application | Injection, privilege escalation, leaks, untrustworthy dependencies | Runtime environment restrictions, mandated code review, dependency locking, developer education, penetration testing | Possible | Major | High |
| NK Cloud Infrastructure | Compromised access to servers and database, through brute force or leaks | Network Isolation, key-based authentication, regular off-site backups | Possible | Major | High |
ii) Incident Reporting #
Detection and Reporting #
When an incident is detected, Nested Knowledge personnel should behave as if they reporting a crime and include specific details about what they have discovered.
Nested Knowledge has prepared an incident response form for use while investigating an incident. Nested Knowledge Employees and contractors will be provided with access to the form and instructed to utilize it for all suspected incidents. The IR team will monitor responses and react immediately upon receipt. In addition to submitting details via the form, Nested Knowledge personnel must contact the IR team through email or Instant Message platform and receive a confirmatory response.
Reporting a Data Breach #
For breaches likely to result in a risk to users or employees, Nested Knowledge will notify a supervisory authority within 72 hours with:
- categories of data and the number of data subjects affected
- our DPO’s contact information
- likely consequences of the breach
- measures proposed and taken to address the breach
Reporting Scams to Authorities #
If level of risk is high, we may report scams, phishing attempts, and other cyber incidents to:
- The FBI’s Internet Crime Complaint Center
- The FTC
- Forward emails to reportphishing@apwg.org.
- Forward texts to SPAM (7726)
Internal Issues #
Issues where the malicious actor is an internal employee, contractor, vendor, or partner requires sensitive handling. Employees will contact the IR team, who will action the issue as with any incident, but ensuring the concerned personnel are not involved.
iii) Incident Categorization #
We categorize incidents by severity and scope of control.
Severity #
Low-Medium Severity #
Issues meeting this severity are simply suspicions or odd behaviors. They are not verified and require further investigation. There is no clear indicator that systems have tangible risk and do not require emergency response. This includes suspicious emails, outages, strange activity on a laptop.
High Severity #
High severity issues relate to problems where an active exploitation hasn’t been proven, but is likely to happen. This include vulnerabilities with direct risk of exploitation, threats with risk or adversarial persistence on our systems (eg: backdoors, malware), malicious access of business data (eg: passwords, vulnerability data, payments information), or threats that put any individual at risk of physical harm.
High severity issues should be communicated to the IR team as prescribed by the Incident Reporting policy.
Critical Severity #
Critical issues relate to actively exploited risks and involve a malicious actor. Critical severity issues should be communicated to the IR team as prescribed by the Incident Reporting policy, and IR response should be immediate.
iv) Coordinating a Response #
We will primarily use Instant Messaging and video conferencing to coordinate response to cyber security events. If an issue prevents use of these modes, phone numbers, email and other details on individuals and our key suppliers can be found in Key Contacts.
v) Incidence Response #
For critical issues, the incidence response team will follow an iterative response process designed to investigate, contain exploitation, remediate our vulnerability, and document a post-mortem with the impact and lessons of an incident.
- Observe/Orient
- The technical lead and investigators will collect relevant data. Contextual information, such as asset information, company plans, and external/open-source intelligence may be used to help understand the landscape.
- Decide
- The operations lead will record decisions and justifications for the selected course of action.
- The technical lead and CEO will determine if a lawyer should be included and attorney client privilege between responders will begin.
- Act
- The technical lead, with support from other personnel, acts on the decisions made in the previous stage to further the investigation or remedy of the situation.
- Updates or a meeting will occur at regular intervals until the incident is resolved.
- Review
- Post-incident reviews are conducted without blame or finger-pointing to encourage open and honest participation so that lessons can be learned and improvements identified. Failing to create the right open, safe environment may cause participants to withhold information crucial to preventing events from occurring again.
- Recover
- Business as usual will be restored as soon as feasible. For more details on recovery, please see the Business Continuity Policy
- If relevant, impacted third parties (customers, suppliers) will be contacted with details.
Data Sources #
The Technical Lead and Investigators are responsible for capturing and collating data that support the investigation of a security incident. Data and logs should be sourced from Data Sources relevant to the investigation
Potential Data Sources Relevant to Incident Response #
- Account activity
- IT Assets
- Software configuration (authorized software packages)
- Web logs and potentially similar host logs to Account activity
- Information storage (document management systems and databases)
- Financial systems
- Cloud service-specific logs
- Local system activity
Mitigation Process due to Information Loss #
Data lost or stolen must be taken into account, complying with state and federal laws aforementioned.
- PII loss will be notified to the concerned persons as well as government authorities.
- Incident will be analyzed, and action will be taken if evidence of transgressions by an employee is found. Legal team must assess the repercussions due to the loss, and will provide an official statement to the management regarding potential compensation losses to be incurred.
Key Contacts #
| Name | Function | Contact |
|---|---|---|
| Kevin Kallmes | CEO – critical decisions, public relations | kevinkallmes@supedit.com |
| Karl Holub | CTO – technical lead | karl.holub@nested-knowledge.com |
| Kathryn Cowie | COO – coordination, documenting response an decisions | kathryn.cowie@nested-knowledge.com |
| John Fallone | Lawyer – legal assistance | john@fallonesv.com |
Revision History #
| Author | Date of Revision/Review | Comments |
|---|---|---|
| K. Holub | 12/12/2025 | Reviewed; revised to reflect current practices |
| K. Cowie | 10/15/2024 | Revised. |
| K. Kallmes | 11/19/2021 | Draft approved |
| K. Holub | 03/11/2024 | Review and updates |
