1. Introduction & Purpose

This Incident Response & Breach Notification Policy (the "Policy") outlines the procedures and guidelines for Nexly Corporation ("Nexly" or the "Company") to identify, respond to, and recover from security incidents, including data breaches. Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes the importance of being prepared to address security incidents promptly and effectively to minimize damage, protect its assets, and maintain the trust of its customers and stakeholders. This Policy is designed to:

• Minimize Damage: Reduce the impact of security incidents on business operations, data, and reputation.
• Protect Confidentiality, Integrity, and Availability (CIA): Safeguard the confidentiality, integrity, and availability of Company data and systems.
• Ensure Compliance: Comply with all applicable laws, regulations, and industry standards related to data breach notification and incident response.
• Contain and Eradicate Threats: Quickly contain and eradicate security threats.
• Recover Systems and Data: Restore affected systems and data to normal operation as quickly as possible.
• Notify Stakeholders: Notify appropriate stakeholders, including affected individuals, customers, and regulatory agencies, as required by law.
• Prevent Future Incidents: Learn from security incidents to prevent future occurrences.
• Establish Clear Responsibilities: Define the roles and responsibilities of all Nexly employees, contractors, and other individuals involved in incident response.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals and entities with access to Company systems or data (collectively, "Users"). This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Acceptable Use Policy, the Password & Authentication Policy, and the Mobile Device & BYOD Policy.

2. Definitions

For the purposes of this Policy, the following definitions apply:

• Security Incident: Any event that compromises, or has the potential to compromise, the confidentiality, integrity, or availability of Company data or systems. This includes, but is not limited to:
  • Data Breaches.
  • Malware Infections (e.g., viruses, ransomware).
  • Unauthorized Access.
  • Denial-of-Service (DoS) Attacks.
  • System Failures.
  • Loss or Theft of Devices Containing Company Data.
  • Phishing Attempts.
  • Account Compromises.
• Data Breach: A security incident that involves the unauthorized access, use, disclosure, modification, or destruction of protected data, including personal information.
• Protected Data: Any information that is protected by law or regulation, or that the Company has designated as confidential. This may include, but is not limited to, Personally Identifiable Information (PII), financial data, health information, trade secrets, and other sensitive business information.
• Incident Response Team (IRT): A designated team responsible for managing security incidents.
• Containment: The process of limiting the scope and impact of a security incident.
• Eradication: The process of removing the cause of a security incident and preventing its recurrence.
• Recovery: The process of restoring affected systems and data to normal operation.
• Notification: The process of informing affected individuals, regulatory agencies, and other stakeholders about a data breach or security incident.
• Chain of Custody: A procedure to document and secure evidence related to an incident.

3. Roles & Responsibilities

Effective incident response requires clearly defined roles and responsibilities.

• 3.1. Board of Directors:
  • Oversees the Company's incident response and data breach notification program.
  • Approves this Policy and reviews its effectiveness.
  • Receives reports on significant security incidents and data breaches.
• 3.2. Chief Executive Officer (CEO):
  • Provides overall leadership and direction for the Company's incident response and data breach notification program.
  • Ensures that the Company's Incident Response Plan is implemented and followed.
  • Approves communications to external stakeholders regarding security incidents and data breaches.
• 3.3. Incident Response Team (IRT): Led by the Chief Information Security Officer (CISO) (or equivalent) and including representatives from IT, Legal, Human Resources, and other relevant departments.
  • Leadership: Leads and coordinates the incident response process.
  • Incident Response Plan: Develops and maintains the Company's Incident Response Plan.
  • Detection: Monitors security alerts, events, and reports of potential security incidents.
  • Initial Assessment: Conducts an initial assessment of security incidents.
  • Containment: Takes steps to contain the incident.
  • Investigation: Investigates security incidents to determine the cause, scope, and impact.
  • Eradication: Takes steps to eradicate the threat.
  • Recovery: Restores affected systems and data.
  • Notification: Provides appropriate notifications to affected individuals, regulatory agencies, and other stakeholders.
  • Post-Incident Review: Conducts post-incident reviews to identify lessons learned and improve the incident response process.
• 3.4. Chief Information Security Officer (CISO): (or equivalent)
  • Leads the Incident Response Team (IRT).
  • Oversees the implementation of the Incident Response Plan.
  • Coordinates the Company's response to security incidents.
• 3.5. Legal Counsel:
  • Provides legal advice and guidance on incident response and data breach notification matters.
  • Determines the Company's legal obligations regarding data breach notification.
  • Coordinates communications with regulatory agencies.
  • Reviews and approves all communications related to security incidents and data breaches.
• 3.6. Human Resources Department:
  • Assists with employee-related aspects of incident response.
  • Provides support to affected employees.
  • Manages any disciplinary action related to security incidents.
• 3.7. IT Department:
  • Provides technical support for incident response, including system analysis, data recovery, and forensic investigations.
  • Implements technical controls to contain and eradicate security threats.
• 3.8. All Employees:
  • Report any suspected security incidents immediately to the IT Department or their supervisor.
  • Cooperate fully with the Company's incident response efforts.
  • Follow all security guidelines and best practices.
  • Secure their work areas and devices.

4. Incident Response Plan

Nexly Corporation will maintain a comprehensive Incident Response Plan that outlines the procedures for responding to security incidents. The Incident Response Plan will be reviewed and updated regularly. The Incident Response Plan encompasses the following stages:

• 4.1. Preparation:
  • Plan Development: The Incident Response Plan should be in place.
  • Team Training: Training and education on best practices.
  • Communication channels.
  • Testing: Regular testing of the plan.
• 4.2. Detection and Analysis:
  • Monitoring: Nexly uses a combination of automated tools and manual processes to detect potential security incidents. This includes:
    • Security Information and Event Management (SIEM) System: Using a SIEM system to collect and analyze security logs and alerts.
    • Intrusion Detection and Prevention Systems (IDS/IPS): Employing IDS/IPS to detect and prevent malicious activity.
    • Vulnerability Scanning: Conducting regular vulnerability scans to identify weaknesses in our systems.
    • User Reporting: Encouraging employees to report any suspected security incidents.
  • Initial Assessment: When a potential security incident is detected, the Incident Response Team (IRT) will conduct an initial assessment to determine:
    • The nature of the incident.
    • The scope and severity of the incident.
    • The potential impact on Company data and systems.
    • The priority of the incident.
• 4.3. Containment:
  • Containment Strategies: Implement containment measures to limit the scope and impact of the incident. The specific containment measures will depend on the nature of the incident, but may include:
    • Isolating affected systems or networks.
    • Disabling compromised accounts.
    • Blocking malicious traffic.
    • Changing passwords.
  • Evidence Preservation: Preserve any evidence of the incident. The chain of custody must be documented.
• 4.4. Eradication:
  • Eradication Activities: Implement eradication measures to remove the cause of the incident and to prevent its recurrence. The specific eradication measures will depend on the nature of the incident, but may include:
    • Removing malware.
    • Patching vulnerabilities.
    • Rebuilding compromised systems.
    • Changing passwords.
  • Forensic Analysis: Conduct forensic analysis to determine the root cause of the incident and to identify any data that may have been compromised.
• 4.5. Recovery:
  • Restoration: Restore affected systems and data to normal operation, using validated backups where appropriate.
  • Testing: Test all systems to ensure they are operational and secure.
• 4.6. Post-Incident Activity:
  • Documentation: Document the incident response process, including the findings, actions taken, and lessons learned.
  • Review and Improvement: Conduct a post-incident review to identify areas for improvement in the incident response process.
  • Update Policies: Update Company policies, procedures, and security controls as needed to prevent future incidents.
  • Reporting: Prepare the reporting to internal and external parties.
  • Internal Notification: Notify appropriate internal stakeholders.
  • External Notification (If Required): Provide any required notifications to affected individuals, regulatory agencies, and other stakeholders.

5. Data Breach Notification Procedures

In the event of a data breach, Nexly Corporation will comply with all applicable data breach notification laws and regulations.

• 5.1. Determining a Data Breach: The Incident Response Team (IRT), in consultation with Legal Counsel, will determine whether a security incident constitutes a data breach. A data breach is defined as a security incident that involves the unauthorized access, use, disclosure, modification, or destruction of protected data, including personal information.
• 5.2. Notification Obligations: If a data breach occurs, Nexly will notify:
  • Affected Individuals: Notify affected individuals, as required by law, of the data breach, including the nature of the breach, the types of data involved, the steps the Company is taking to address the breach, and contact information for the Company's data privacy officer.
  • Regulatory Agencies: Notify the appropriate regulatory agencies, such as the Attorney General's office or the Consumer Product Safety Commission, as required by law.
  • Other Stakeholders: Notify other stakeholders, such as customers, business partners, or the media, as appropriate.
• 5.3. Notification Timing: Notifications will be made in a timely manner, in accordance with the deadlines specified by applicable laws and regulations.
• 5.4. Notification Content: Notifications will be made via methods that are compliant with legal requirements. The notifications will include the required information.

6. Post-Incident Activities

Following a security incident, Nexly Corporation will take the following steps:

• 6.1. Review and Analysis: Conduct a thorough review and analysis of the incident.
• 6.2. Corrective Actions: Implement corrective actions to prevent future incidents.
• 6.3. Report Updates: Prepare a report.
• 6.4. Information Security Policy Update: Update the Information Security Policy.

7. Training and Awareness

Nexly Corporation will provide training and awareness programs to ensure that employees are prepared to respond to security incidents.

• 7.1. Incident Response Training: Providing training on how to identify and report security incidents.
• 7.2. Policy Training: Train all employees on this policy.
• 7.3. Phishing awareness training.

8. Policy Review & Amendments

This Incident Response & Breach Notification Policy will be reviewed and updated regularly to ensure its continued effectiveness.

• Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed, such as in response to changes in the threat landscape, the Company's business operations, or the regulatory environment.
• Review Process: The review process will involve:
  • Input from Stakeholders: Seeking input from relevant stakeholders, including the Incident Response Team (IRT), Legal Counsel, the Information Security Department, and other key personnel.
  • Best Practices Review: Examining industry best practices and evolving risks.
  • Legal Compliance: Ensuring compliance with all applicable laws and regulations.
  • Performance Assessment: Reviewing the results of past incidents.
• Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all relevant employees through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions]. All employees are responsible for being aware of and adhering to any changes.
• Policy Ownership: The Information Security Department is responsible for maintaining and updating this Policy.

**Acknowledgement:** By engaging in any activity on behalf of Nexly Corporation, all employees, contractors, and other authorized individuals are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Incident Response & Breach Notification Policy.