Dropbox incident response policies and procedures
Dropbox has incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues. As part of our incident response procedures, we have dedicated teams who are trained to:
- Promptly respond to alerts of potential incidents
- Determine the severity of the incident
- If necessary, execute mitigation and containment measures
- Communicate with relevant internal and external stakeholders, including notification to affected customers to meet breach or incident notification contractual obligations and to comply with relevant laws and regulations
- Gather and preserve evidence for investigative efforts
- Document a postmortem and develop a permanent triage plan
The incident response policies and processes are audited as part of our SOC 2+, ISO/IEC 27001, and other security assessments.
Dropbox follows a standard incident response lifecycle of:
- Evaluation; and
- Corrective Action
After an incident impacting customers is reported, whether caused by external actors or persons with authorized access, an assessment of the impact is conducted in order to generate a plan of action to remediate identified issues. Where required by applicable law, contractual obligations, or otherwise appropriate, Dropbox notifies customers of an incident as described in the Dropbox Data Processing Agreement.
Issues identified as part of an incident are bucketed into two main categories:
- Action Items, which are short-term actions to mitigate a risk and stop an incident; and
- Security Issues, which are longer-term projects tied to to specific technologies or systems to mitigate a negative bearing on security risk.
Action Items are assigned to the appropriate roles across the company who coordinate to mitigate the issue, communicate to internal stakeholders, and ensure resources are secured to help.
Resolution is achieved when all activities in the plan of action are completed.
Following mitigation of an incident, a postmortem is conducted to fully understand the root cause(s) of an issue, identify Action Items and Security Issues, and complete any remaining work to prevent the issues from reoccurring. Incidents go through a series of reviews to gather input and insights at the various levels of the organization. The more severe the issue, the higher level of review the incident will receive. Longer-term workstreams are added into sprints and roadmaps, and lessons learned are communicated to applicable teams.
This phased approach ensures that Dropbox focuses on the highest value work at the right points in time, which will help prevent future issues.