= Incident i20140628.1 = * Incident Number: i20140628.1 * Status: execution * Incident Manager: Benedikt Heintel * Date of incident opened: 2014-06-28 * Date of incident closed: 201Y-MM-DD * Incident title: Data Privacy breach == History Log == . 2014-07-05: Incident i20140628.1 created . 2014-07-05: Incident documentation [[Audit/Incidents/priv/i20140628.1|private part]] . 2014-07-05: Board informed about incident and asked for approval (until 2014-07-19) and execution (until 2014-08-02) . 2014-07-10: Updated finding with link to Privacy Policy . 2014-07-13: Board approved the Incident and the proposed preventive actions == 1. Incident Response Team == . Internal Auditor == 2. Incident Description == The internal Auditor got aware of a look-up of a community member's data by critical system admins without prior order of an arbitrator. == 3. Containment Actions == No action was done to contain the incident, there is no current danger of expansion in this case. == 4. Root Causes == ''The related arbitration case [[Arbitrations/a20140422.1|a20140422.1]] is under seal, further information are kept in [[Audit/Incidents/priv/i20140628.1|private]] until seal lifted.'' == 5. Permanent Corrective Actions == Since no data was changed (only viewed), no corrective action apply. == 6. Verify Corrective Actions == N/A == 7. Preventive Actions == The internal Auditor recommends the following preventive actions: * Train the Critical System Administrator team in data protection * Oblige core team members (auditable) on data privacy * Add a data privacy test to CATS with privacy related questions and make the repetition of the test mandatory after two years for all core team members Board decided to install following preventive actions: {{{ moves 1) that board takes steps to ensure that each CAcert team member of Support, SE, Arbitration, Infrastructure honours CAcert's Privacy Policy and prove the understanding of named policy by repeating a PP CATS Test yearly, 2) the change has to be retained in accordant policies via Arbitration and Policy group, and 3) the required CATS test is prepared under the responsibility of the Education Team }}} == 8. Approval & Closure == || '''Approved''' || 2014-07-13 in [[https://community.cacert.org/board/motions.php?motion=m20140713.1|m20140713.1]] || || '''Date closed''' || || ---- . CategoryAudit . CategoryIncident