Security Breach Management workflow

Th Security Breach Management workflow helps you to manage security breach issues.

When a Security Issue is created via the Log a potential security breach workflow, this workflow starts automatically. It is an extended version of the Collibra Data Intelligence Platform packaged Issue Management workflow, tailored for your privacy and risk program.

Warning To use this workflow, the Community Manager responsibility must be created for the New Data Issues domain.

Relevant resource roles

The workflows involve the following roles:

Resource role	Tasks
The Community Manager for the New Data Issues domain in which the Security Issue is created.	Assigns an Issue Manager for the Security Issue asset. Note If the Community Manager responsibility has not been created for the New Data Issues domain, a task is sent to the Sysadmin global role, by default, to create the responsibility. To configure a role other than the Sysadmin global role for this task, use the variable "User expression is for the 'Admin' role in process" in the general workflow settings. The workflow cannot continue until the Community Manager responsibility has been created.
Issue Manager	Collects and provides all necessary information by completing the workflow. As for any resource role, the Issue Manager resource role can be assigned to a single user, a user group or both. If the Issue Manager role is assigned to a user group, the task appears in the list of tasks for every user in the group, and any user can launch the task. When any single user accepts the role and completes the task, the task is removed from the task list for all other users. Warning If you assign the role of Issue Manager to a user group, and a single user rejects the task, the task is rejected for all users in the group and any individual user to whom you may have assigned the resource role.
Privacy Steward	Reviews the analysis and accepts or rejects the Security Issue asset. If the asset is accepted, the Privacy Steward then reports to the relevant stakeholders.

Resource role

Tasks

The Community Manager for the New Data Issues domain in which the Security Issue is created.

Assigns an Issue Manager for the Security Issue asset.

Note

If the Community Manager responsibility has not been created for the New Data Issues domain, a task is sent to the Sysadmin global role, by default, to create the responsibility.
To configure a role other than the Sysadmin global role for this task, use the variable "User expression is for the 'Admin' role in process" in the general workflow settings.
The workflow cannot continue until the Community Manager responsibility has been created.

Issue Manager

Collects and provides all necessary information by completing the workflow.

As for any resource role, the Issue Manager resource role can be assigned to a single user, a user group or both.

If the Issue Manager role is assigned to a user group, the task appears in the list of tasks for every user in the group, and any user can launch the task. When any single user accepts the role and completes the task, the task is removed from the task list for all other users.

Warning If you assign the role of Issue Manager to a user group, and a single user rejects the task, the task is rejected for all users in the group and any individual user to whom you may have assigned the resource role.

Privacy Steward

Reviews the analysis and accepts or rejects the Security Issue asset. If the asset is accepted, the Privacy Steward then reports to the relevant stakeholders.

Privacy Steward tasks

If the Issue Manager determines that there has been a data breach, the Privacy Steward reviews the analysis and accepts or rejects the Security Issue asset.

Reject or accept?	What's next?
Reject	The Security Issue asset is assigned back to the Issue Manager, who has to revise the details.
Accept	The Privacy Steward receives two tasks for each stakeholder to which reporting is due: A task to notify the Stakeholder. A task to add evidence of notification in the Security Issue asset. When the Privacy Steward has notified all relevant stakeholders, the status of the Security Issue asset becomes Resolved, and it can be archived.

Reject or accept?

What's next?

Reject

The Security Issue asset is assigned back to the Issue Manager, who has to revise the details.

The Privacy Steward receives two tasks for each stakeholder to which reporting is due:

A task to notify the Stakeholder.
A task to add evidence of notification in the Security Issue asset.

When the Privacy Steward has notified all relevant stakeholders, the status of the Security Issue asset becomes Resolved, and it can be archived.

Reporting to stakeholders

The perceived level of risk to data subjects determines to whom the Privacy Steward has to report.

Perceived level of risk	You must report to...
No risk	No one, although you might want to report to internal stakeholders, such as management.
Low to moderate	Internal stakeholders. Supervisor authority.
High	Internal stakeholders. Supervisory authority. Data subjects.