(2) what contingency plans are in place in the event of a breach of security in ContactPoint.
[holding answer 23 February 2009]: ContactPoint is designed, built, operated and managed to HM Government standards for security and complies with the strict controls imposed by HM Government security policy. Data contained within the system are made available only to those authorised users and administrators who have been subject to vetting and have completed mandatory training. Organisations that require access to ContactPoint must meet strict system accreditation requirements. These requirements do not allow access to ContactPoint via wireless handheld devices.
In the event of a breach of security in ContactPoint, we will follow HM Government security policy for incident response and reporting. Our response will be proportional to the severity of the incident and could include:
Immediately shutting down the system and denying access to all users;
Reporting the breach to stakeholders, up to and including the Information Commissioner and Ministers;
Reporting the breach to the Communications and Cryptographic Incident Notification, Reporting and Alerting Scheme (CINRAS); and
Reporting the breach to the National Technical Authority for Information Assurance's Computer Emergency Response Team (GovCertUK).
Following any security breach, a full review would take place and prosecutions would be instigated where appropriate.