App security incident management
What is a security incident?
Any actual or suspected unauthorized access, acquisition, use, disclosure, modification or destruction of end user data
A security compromise of our app
Any issue that materially degrades monday.com systems or networks
What is end user data?
Any information, personal data, content, code, video, images or other materials of any type provided (or otherwise made available) to us from an end user is considered end user data.
We've had a security incident with one of our apps – what happens next?
In the event of a security incident with a Marketplace app, the following steps outline what happens next:
1. Investigate the incident
Identify the root cause of the incident, for example, by consulting logs, reviewing code, etc.
Confirm whether any end user data might have been compromised.
Determine how long the security issue might have been present.
Determine which users of the app were affected and all information that was or may have been compromised.
Consider engaging external help such as an incident response partner or security consultant to help with this process if required.
2. Notify monday.com
Promptly notify monday.com about the incident and provide the information outlined below (to the extent the information is available) by emailing appsupport@monday.com.
We aim to provide monday.com with answers to the following questions. If we don't currently have all the information above, we will provide what we currently have to monday.com and provide updates when more information is available.
Question | Details |
|---|---|
What is the category of security incident that has occurred (e.g., vulnerability, malicious attacker, cross tenant data leakage, etc.) and its scope? | Information about the type of incident that has occurred, how long it has been present, and the extent to which customers or end users may have been impacted. |
Could the security incident have had any impact on end user data? If so, will those end users be notified in accordance with any applicable laws or contractual agreements? | End user data includes names of end users, company names, physical or email addresses, phone numbers or any other information or data we have collected from end users. If end user data has been impacted, also provide information on the likely number of customers impacted. |
What type of data was included in the data breach? | If data was breached or leaked, list the types of data included. This can include data other than end user data. |
Do we have an anticipated / expected timeframe in which we expect the incident will be resolved? | Estimates we have as to how long it will take for us to resolve the incident and the reasons for the timeframes provided. |
What measures have been taken so far, or do we plan to take, to contain the incident? | Describe what action was (or will be) taken to contain the security incident, and in particular prevent further exposure or loss of End User Data. |
What is the plan for communicating with end users regarding this incident? | Describe any communications we have already made or plan to make to end users regarding the incident. |
Has the underlying issue / cause of the incident been identified? If so, please provide details. | Describe the results of any investigations that have been undertaken to identify the underlying issue(s) / root causes of the security incident. |
What remedial actions have been taken to remove the root cause of the incident and prevent similar incidents occurring in future? | Describe the remedial or corrective actions – both in terms of technical and organisational controls – to prevent similar incidents happening in the future. |
What are the contact details for the appropriate person to contact on this issue should monday.com wish to communicate further? | Provide email address and phone number at minimum. |
3. Contain the incident
Contain the incident as rapidly as possible to prevent further impacts to customers, including the potential loss of End User Data.
This may require making the decision to temporarily restrict access by end users to the app. For example, we may request that the app is delist from the Marketplace while remedial action is being implemented.
Keep in contact with monday.com to provide updates on the progress of remediation efforts and details of specific actions taken.
4. Implement remedial measures
Take remedial or corrective actions to prevent similar incidents happening in the future.
5. Notify our customers
In the case of a security incident involving one of our apps, depending on the context and data involved it is important we consider communicating the details of the incident to affected customers, including what action we are taking in response. When possible, we will notify customers within 72 hours of identification of an incident.
6. Conduct a post incident review
During the aftermath of an incident, it’s important to remain vigilant to confirm the incident has indeed been fully resolved, and to identify any lessons we can take into account for future incidents to handle them better. We consider the following:
Are there any indicators of compromise that are still present? (monitoring tools can also be used to help confirm this)
Are there any lessons that have been learned from the response to the incident that need to be used to update our incident response process? Are there any lessons to reduce time taken to investigate or resolve the situation?
Have any actions been taken to reduce the chances of a similar future security compromise?
Does our logging need to be improved in order to expedite investigation for any future incidents?