Data Protection Policy

Data Protection Policy:

Data classification and handling are essential to the safeguarding and protection of data from unauthorized disclosure, at rest or in transit. State, Federal, and regulatory compliance mandates that sensitive data is protected for Confidentiality, Integrity, and
Availability through the implementation of controls and monitoring. We protect data both in digital and hard copies by limiting access to only authorized users. Policy requirements for the destruction and handling of sensitive data must be adhered to at all times.

Rights to request data:

We support the Right of Access. Individuals may request to obtain records maintained by us on their behalf by completing the “Authorization for Release of Information” form.

Data Breach/Incident Response Plan

Incident Response:

We maintain a dedicated Incident Response team. The Incident Response team is tasked with the identification and eradication of attacks against the organization.

The Incident Response Process is comprised of the following phases (PICERL):

  • Preparation
  • Identification and Analysis
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Preparation is a key component of effective incident response. The ISO Incident Response Service is primarily responsible for preparation activities.

Examples of these activities include:

  • Maintaining effective incident response standards, procedures, guidelines, and control requirements.
  • Maintain appropriate technical controls
  • Conducting exercises of the Incident Response Procedure to continuously improve the process.
  • Promote awareness of the Incident Response Service and all applicable standards, procedures, guidelines, and control requirements.
  • Coordinating with Ensign Services Compliance and Law departments to ensure contractual and regulatory obligations are understood and planned for.
Identification and Incident Reporting

The Security Monitoring Team is specifically charged with conducting analysis of security events, alerts, and incidents. Security Monitoring will analyze reports and escalate as necessary.

Suspected security issues can be reported to the Security Monitoring team using the following methods: Standard Business Hours (8am – 5pm PST) After Hours

Email: To report an issue via email, use the email address When reporting a security issue via email be sure to provide as much details as possible to help facilitate analysis of the issue. Email is not monitored after hours.

Phone: To report a security issue via phone you may contact 949-540-1200. A team member will be able to put the caller in touch with the current on-call member of the Security Monitoring Team.

Incident Triage
Upon notification of a security issue, the Security Monitoring team will perform triage activities attempting to determine if the reported issue is an Incident. If the reported issue appears to be an Incident, Security Monitoring will escalate the issue to the Incident Response Service Lead or Security Management seeking an official declaration of an Incident.

Incident Declaration
Once contacted, the Incident Response Lead will determine if the reported issue meets the criteria of an Incident. If it has, an Incident will be declared, and the IR Lead will designate an Incident Response Commander (IRC).

Incident Response Team Formation and Coordination
Upon notification, the Incident Response Commander (IRC) will begin formation of the Incident Response Team (IRT).

The IRC can perform or delegate the following functions based on the necessities of the Incident:

  • Identify currently involved resources.
  • Determine needed resources and begin gathering.
  • Creation of a Service Now Incident ticket if one has not already been created.
  • Determine a current Incident Severity rating based on the Severity matrix.

Incident Communication
Throughout the Incident the Incident Response Commander (IRC) will use the Communications Matrix to determine necessary communication requirements.

The IRC will establish the following:

  • How the IRT will communicate (phone, email, meetings, etc).
  • Next scheduled communications.
  • Communication needs for IRT members.
  • Communication needs for Senior and Executive Management.

Incident Analysis
Throughout the Incident, the Incident Response Commander (IRC) will coordinate investigation and analysis efforts with the Incident Response Team (IRT).

Incident Analysis will attempt to determine:

  • Root Cause. Why did the Incident occur in the first place?
  • Validation of any statements/assumptions. Can current beliefs about the incident be corroborated?
  • What portions of the organization are affected by the incident?
  • Which systems are affected by the incident?
  • What data is affected by the incident?
  • Which employees, customers, and vendors are affected be the incident?
  • Have any of the events in the Communications Matrix been met that require action?
  • Do any Incident Categorizations apply?
Do any third parties need to be engaged to assist with the investigation?

The goal of the Containment phase is to limit/stop further impact caused by the Incident. The Incident Response Commander (IRC) will coordinate with the Incident Response Team (IRT) to determine the best strategy for Incident Containment. The IRC will follow the requirements specified in the Authority Matrix for any quarantine activities.


Once contained the Incident Response Commander (IRC) will coordinate with the Incident Response Team (IRT) and the asset owner(s) to determine the best strategy for complete removal or cleanup of the affected asset(s). The IRT will also consider any needs for evidence preservation.


During the Recovery phase business operations are restored to a normal state. The Incident Response Commander (IRC) will coordinate business representatives and/or the BCP/DR Service Team to determine the recovery strategy and criteria.

Lessons Learned

The goal of the Lessons Learned phase is to review all aspects of the incident, after the urgency of an active incident has passed, to understand what can be improved on in the future.

Examples include:

  • What was the root cause of the Incident?
  • What controls could have prevented or limited the impact of the incident?
  • What processes could have been improved to more quickly or effectively responded to the Incident?
  • In the case of a materialized incident, a notification of compromise will be sent to the SEC within 4 days of materialization using SEC form 8-K (

Information Security Policies and Systems Audit:
We engage in an active Security program which is audited by an independent third party. Security policies and systems audits are performed annually at a minimum for SOX and HIPAA compliance.

Privacy and Data Security Management:
An Information Security Office has been established by our Chief Information Security Officer, with dedicated cyber security staff focusing on security monitoring, vulnerability management, incident response, risk assessments, employee training, security engineering, and management of cyber security policies, standards, and regulatory compliance.