🚨 Incident Management Policy and Procedures

1. Purpose

This document defines the policy and establishes the procedure for the identification, remediation, analysis, and prevention of security incidents relating to compromise or breach of protected information and related systems at Nemu Inc.

2. Scope

This policy applies security incidents affecting all Nemu Inc owned and customer-owned information assets managed facilities, networks, systems, and technology assets that store, process or transmit information within the scope of the Information Security Management System (ISMS).

3. Policy

It is the policy of Nemu Inc that security incidents are defined, and that ongoing monitoring and detecting of security incidents leads to swift identification, containment, and resolution. Our goal is always protecting the confidentiality, integrity, and availability of all information within the scope of the ISMS as well as the systems and processes that store, process and transmit that information.

4. Responsibilities (A.16.1.1)

Roles and responsibilities regarding specific access assignments are as follows.

The Senior Security Lead is responsible for:
- maintaining and assuring that the incident management process is faithfully followed;
- appropriate logs and records are maintained;
- company management is notified and remains informed
- law enforcement or regulatory agencies are notified and informed as required.
- timely resolution of individual incidents;
- collection of incident information and evidence to support ongoing continuous improvement and risk reduction.
Incident Managers are assigned to manage assigned incidents from point of identification through resolution.
Employees and system users are responsible for:
- identifying and reporting security incidents immediately upon detection;
- supporting the efforts of remediation, analysis, and prevention measures that they may be directly or indirectly affected by under the leadership of the Incident Manager.
Adherence to this policy is a requirement of employment at Nemu Inc.
Awareness training for this policy is provided through the Security Awareness Training program

5. Procedures

5.1. Identifying & Reporting Information Security Events and Weaknesses (A.16.1.2, A.16.1.3)

Employees and contractors must remain aware of potential information security incidents and report them immediately to the Senior Security Lead.

An information security incident is any event that threatens the confidentiality, integrity, or availability (CIA) of in-scope information.

Examples of Security Events

Unauthorized access or system compromise granting access to protected data
Accidental data exposure, such as sending unencrypted PII or engaging with phishing content
Loss or theft of information or a company device
Intentional misuse, such as credential sharing
Unauthorized physical entry to office/data center locations
Hardware failure affecting CIA
Software failures impacting CIA or business continuity

Examples of Weaknesses to Report

Credential sharing or lack of MFA enforcement
Unlocked containers storing confidential data

5.2. Assessment of & Decision on Information Security Events (A.16.1.4)

Upon receiving a report, the Senior Security Lead will:

Record the event in the Security Incident Log:
- Time/date
- Reporter name
- Description
- Affected systems/processes
Evaluate the event to determine if it qualifies as a security incident based on CIA risk.
If classified as a security incident:
- Take immediate remedial action (with control leads as necessary)
- Assign an Incident Manager to own investigation and root-cause analysis
- Notify law enforcement if appropriate and approved by management
- Notify company leadership and customers if externally impactful
If not classified as a security incident:
- Implement corrective action to eliminate or minimize the weakness
All decisions and actions are logged in the Security Incident Log.

6. Response to Information Security Incidents (A.16.1.5, A.16.1.7)

Once confirmed as a security incident, the Incident Manager is responsible for full remediation and closure.

Required Response Actions

Gather evidence promptly from relevant sources
Maintain evidence chain-of-custody and integrity
Record interviews and testimony from affected personnel
Conduct forensic analysis as applicable
Document the full event timeline and actions taken
Ensure preventive and corrective controls are implemented
Verify effectiveness of implemented actions
Close incident formally in the Security Incident Log

7. Learning from Information Security Incidents (A.16.1.6)

The Senior Security Lead will periodically review:

Incident types and patterns
Frequency and impact
Response efficiency and cost indicators (where known)

Findings are presented during Management Review Meetings, and outputs are tracked through the Corrective Action System to ensure continuous improvement within the ISMS.

8. Audit Evidence

Example incident reports or redacted tickets.
Screen captures of logs or alerts.
Records of customer or stakeholder notifications.

9.1 Client & Third-Party Notification

Nemu Inc.’s Incident Response Plan includes a defined process for promptly notifying clients and third parties of an incident, when required by legal, regulatory, or contractual obligations.

Impacted parties are notified by the Security Lead or an authorized representative.
Notifications include:
- A summary of the incident.
- Steps taken to contain, mitigate, and remediate the impact.
- Ongoing actions or any required follow‑up.
Nemu evaluates notification obligations based on contractual terms and applicable laws to ensure accurate and timely disclosure.

10. Compliance Mapping

SOC 2: CC7.3, CC7.4
ISO 27001:2013: A.16.1.1–A.16.1.7