Security Incidents & Data Breach Management Policy and Procedure

April 14, 2025

Incident Management Plan

Introduction

This plan outlines the procedures for identifying, responding to, mitigating, and recovering from cybersecurity incidents affecting monecopote.com. The goal is to ensure the well-functioning of the platform in compliance with laws and regulations in force and protect it from cyber threats.

Association Mon Eco Pote is committed to exercising due care and attention to (i) taking preventive measures against cyber incidents, (ii) handling them appropriately when they occur, (iii) providing information to staff and other concerned parties (users, sellers, clients, partners, contractors, suppliers, authorities) as necessary, and (iv) restoring access and operations as soon as possible.

Incident categories

Potential threats include :

DDoS Attacks – Disrupting website availability.

Malware Infections – Injecting malicious code into the platform.

Unauthorized Access – Data breaches or account takeovers.

Payment Fraud – Fake transactions affecting users.

Phishing/Social Engineering – Attacks on admins or users.

Preventive measures to be considered in this context include :

Regular security audits – Conduct periodic penetration testing.

Strong access controls – Use MFA and role-based permissions.

Data encryption – Secure sensitive information.

Web Application Firewall (WAF) – Protect against attacks.

Backup & disaster recovery – Ensure daily backups are stored securely.

Incident detection & reporting shall be done as follows :

Monitoring of the trafic and logs by an external service provider

User reporting by means of a contact form to report suspicious activities

Automated alerts for abnormal traffic or login attempts

Incident response steps

When an incident is detected, it is crucial to follow a structured approach to contain and mitigate the threat effectively. The following five-phase response process will be implemented:

1. Identification & Classification (to determine whether an incident has occurred and assess its severity.)

Initial detection by system monitoring and review of user reports on suspicious activities (e.g. unauthorized logins, fraudulent transactions)

Log & analyze data by gathering logs from affected systems, including access logs, error logs, and network traffic, and by identifying attack vectors (e.g., phishing, malware, SQL injection).

Classify the Incident: Low severity for minor security issuee (e.g., failed login attempts) ; medium severity for incidents with potential impact (e.g., small-scale malware infection) ; high severity for active threat affecting users or business operations ; critical severity for major security breaches (e.g., data leak, ransomware attack)

Activate response team by notifying the incident response lead and IT security

2. Containment (to limit the spread and damage of the incident while preserving forensic evidence.

Short-Term Actions:

Network containment (Block malicious IPs or geo-restrict access if necessary ; segregate affected systems from the main network)

Account containment (Disable compromised user/admin accounts ; enforce password resets for affected users)

Application containment (Temporarily disable affected website functionalities (e.g., payment gateway, order processing) ; update firewall rules to block malicious traffic.

Long-Term Actions :

Secure backups (Verify that recent backups are uncompromised ; if necessary, shift traffic to a backup server)

Preserve evidence (Make copies of affected system logs for forensic analysis ; document all actions taken during containment)

3. Eradication & recovery (to remove the root cause of the incident and restore normal operations.

Eradication Steps:

Identify the attack vector (analyze logs, malware signatures, and attack patterns ; determine whether human error, system vulnerability, or external attack was the cause)

Patch vulnerabilities (apply software updates, security patches, and configuration fixes ; strengthen firewall, authentication, and API security)

Malware removal (run antivirus/malware scans on affected systems ; delete or quarantine infected files

Recovery Steps:

Restore services (reinstall affected applications if necessary ; restore data from backups, ensuring no malware reinfection)

Monitor for residual threats (conduct post-recovery penetration testing. increase log monitoring for unusual behavior)

4. Communication & notification (to ensure timely and transparent communication with stakeholders)

Internal communication (inform management, IT and legal teams ; conduct a status update meeting with the response team)

 External communication (notify affected users ; advise users to reset passwords and               enable 2FA ; if legally required, report breaches to data protection authorities ;                  inform third-party vendors if their services were affected)

5. Post-incident review & lessons learned (to improve security defenses to prevent future incidents)

Actions:

Conduct an incident review (analyze logs, attack vectors, and response effectiveness ; identify gaps in detection, containment, and recovery processes)

Document findings (create a detailed report including root cause analysis and response steps ; recommend improvements for security policies)

Enhance security controls (update firewall rules, IDS/IPS settings, and access controls ; implement additional training for staff to recognize cyber threats)

Contact & response team

Incident response lead: Gaëtan Bio

IT security contact :Gaëtan Bio

Legal & compliance contact : Gaëtan Bio