Other requirements

Contingency policy

To meet expectations of continued access to IT services in case of a disaster, KMD has a comprehensive contingency plan in the form of a tested disaster recovery plan.

The general principle of the plan is as follows:

  • KMD will be able to restore IT operations in one of the data centers that are not affected by the disaster and restore facilities for continued maintenance and servicing.

  • IT services will be restored in order of priority.

  • In a disaster situation, KMD will inform customers of the time schedule and any progress made.

Security and GDPR Incidents

Handling of Security incidents and GDPR incidents is described in detail in KMD’s process repository.

The purpose of KMD’s Security incident and GDPR incident process is to respond to security incidents, assess their scope and risk, respond appropriately to the specific incident, communicate results, and risk to relevant stakeholders and reduce the probability that similar incidents may occur again.

Security incidents covered by “Security incident and GDPR incident process” are:

  • All GDPR incidents – only applicable to Customers within Europe.

  • All Information Security Incidents often abbreviated to Security Incidents

For each step in the Security Incident and GDPR incident process, inputs and outputs are well defined, and there are templates for outputs, with which the process is optimized to ensure fast execution with an eye for deadlines.

The process starts with reporting to the Security Incident Helpdesk, after which the case is assigned to a Security Incident Manager who works with incident information, root cause analysis and customer information.

Incident information ensures a comprehensive and necessary overview of the security incident and which data has been compromised.

The Root Cause Analysis aims to gather information about the root cause of the incident to ensure that it is contained and avoid happening again.

Notifying the Customer intends to notify the data owner without unnecessary hesitation with an eye to deadlines.

The Security Incident Manager follows the case to the end and ensures compliance with the process as well as focus for prompt execution.

Before closing the incident, a review of the process is carried out in order to evaluate and optimize the process as well as pick up any derived actions.

For security incidents and GDPR incidents with effect for other companies or customers, relevant parties are also informed as well as the communication contained in Service Reporting for affected customers.

All employees are trained in information security and the process for handling Security incidents and GDPR incidents to ensure that it is carried out as smoothly and efficiently as possible.

KMD has security principles for CIA (confidentiality, integrity, availability), which apply to all aspects of information security.

Within the agreed Support hours, reporting of Security Incidents and GDPR Incidents must be done to Customer Support.

Outside the agreed Support hours, reporting to KMD’s Security Incident Helpdesk takes place – which is open 24/7/365:

• +45 4460 6800

• helpdesk@kmd.dk

In both cases, reporting takes place by telephone with subsequent submission of documentation by email.

When the security incident is solved, the Customer is informed with no undue delay.