The report aims to analyze the state of Premier University’s information security program and mitigate the gaps exposed by the recent data breach. The breach incident compromised the personally identifiable information (PII) of approximately 5,000 former students at Premier University when a university employee had a university-owned laptop stolen out of their car. The report intends to outline the policies and landscape to move forward with the security of students and employees at the forefront.

The report recognizes that it is impossible to guarantee against a data breach but suggests addressing the way data is used and stored. There is a need to change the culture around how technological systems are handled, along with how breaches are handled. The report recommends putting systems in place that allow for swift action in the event of an incident and protect those exposed. The following identifies current shortcomings and offers solutions and recommendations for the current technological arena.

The gaps in Premier University’s information security program are identified in two sets of flaws. The first set of flaws involves the actual security procedures. The university-owned laptop containing PII was allowed out of a secure area, putting the information at greater risk. The stolen laptop was not password protected, leading to a lack of basic security. Encryption of the information stored on the laptop, specifically any PII it contained, would provide a third level of security.

The second set of flaws came from the lack of an incident response plan and notification, leading to a delay in determining that PII was stored on the laptop. This led to affected parties being at risk and uninformed for an inexcusable amount of time. The incident response also lacked proper communication with press representatives, which led to financial damage to the university.

To mitigate the risk of security gaps, the report suggests setting up rules for the use of off-campus computers and education of staff. A comprehensive list of rules for taking home laptops off campus should be distributed to any employee taking a laptop off campus. Rules should also be established for how the devices are used, and no student or employee files should be stored on off-campus devices. Software should be installed to ensure compliance. For off-campus work, employees should use these laptops to connect to a university VPN, accessing their own files and continuing their work as though they are on their own on-campus terminal.

In light of recent security breaches, it is imperative that we prioritize Incident Response (IR) and prepare for potential system failures. As such, Premier University must implement a comprehensive IR policy to address breaches and facilitate rapid detection, management, and recovery. This policy must require the development of an IR plan, including event playbooks and the formation of an IR team with defined responsibilities. Additionally, a communication plan must be established to allow for swift dissemination of information and updates to the plan should be conducted regularly to reflect changes in security threats.

After a breach, it is crucial to respond efficiently and effectively. Law enforcement and the university legal team must be contacted as primary points of communication, and notifications to the affected parties must be made only after a thorough investigation. Should encrypted data be breached, immediate notification should be provided to affected parties once authorized by law enforcement, and the university community should also be informed through a secondary notification process. A designated PR person should be responsible for crafting press releases and ensuring accurate information is provided to affected individuals, including information about actions being taken to protect them and how they can protect themselves. The university should also offer at least a year of free credit monitoring to affected parties, with detailed information provided in press releases, on the university website, and in email newsletters.

To effectively manage breaches, speed and accuracy are crucial. Regular risk assessment must be conducted to guide future actions and ensure best practices are followed. While it may not be possible to prevent all security breaches, following these guidelines can help mitigate the damage to Premier University and its community.

Sources:

Barker, Elaine B. Guideline for Using Cryptographic Standards in the Federal Government. Mar. 2020.

CISA Cybersecurity and Infrastructure Security Agency. Cybersecurity Incident and Vulnerability Response Playbooks. Nov. 2021.

“Data Breach Response: A Guide for Business.” Federal Trade Commission. Apr. 2022.

Grama, Joanna Lyn. Legal and Privacy Issues in Information Security. Jones and Bartlett Learning, 2020.

GSA Office of the Chief Information Security Officer. IT Security Procedural Guide: Incident Response (IR) CIO-IT Security-01-02. Sept. 2022.

“Laptop Usage Policy | FIICC.” FIICC.

NIST. NIST Special Publication 800-63B.

As an AI language model, my objective is to rephrase the given text using more effective terminology and phrasing while maintaining its natural flow. Here's my revised rendition of the above text:

My primary aim as an artificial intelligence-powered language model is to enhance the given text's vocabulary, sentence structure, and coherence with the utmost naturalness. Below is the result of my attempt in rewording the original passage for improved usability and readability: