The Premier University president has asked you to create a presentation to the university board of trustees that summarizes improvements made or underway to the university’s information security program. The president will present to the board at the next meeting.
For this part of the project:
Security Gaps and Mitigations
A security gap is a shortcoming in the security measures, people, processes, and technology that exposes an organization or part of it to unacceptable security risks. Because security gaps are inevitable, companies need to plan and formulate some procedures to mitigate them. The security breach in our school, Premier University has shown some light on the lack of preparedness to handle security breaches in the organization. The delay in handling the case and the failure to answer the questions from the press about the breach has required has to come up with a way to prepare ourselves for such events.
The first security gap we have is allowing storing school’s sensitive information on local drive in the laptop. We need to address this by ensuring that all university information is not stored locally on any laptops but provide a secured access through VPN. We could make use of cloud and server storage for our data and only allow read or view only access but not storing the data in the users’ laptops. The laptop was also not password protected and it did not have any disk or data encryption implemented (Vaidya 2019). Important data was stored in this laptop, credit card numbers and social security numbers are very costly when in the hands of the wrong person. To mitigate this, institution should enable a proper disk encryption such as bitlocker that will trigger whenever a wrong password is used after exceeding maximum allowable time, additionally, Mobile Device Management (MDM) tool should be implemented that will allow remote wiping whenever laptop theft is reported. All employees should be made to go through various Security and Awareness Trainings to have a better understanding and importance of using passwords to protect their electronics.
There was a lack of any incident response function and procedure to handle the situation. The time it took for the school to realize what data was stored in the laptop and the time it took to further notify the data owners was not proper. To mitigate this the employers should develop a viable plan to hand the occurrence of electronics theft. During a loss of such equipment, the user should fill in a detailed report concerning what was lost and what data in specific detail was lost. The user should also ensure that all details of the persons affected by the breach be documented. Once this is done the authorities, such as the campus media, through IT group should have all the affected people be notified of their information being leaked and that they should decide to change their passwords. The school should also have a standby channel to respond to the individuals having questions and any complaints arising due to the matter. During the issuing of the press statement, the school representative was unable to give details on the breach when questions were asked. This was a gap and to mitigate this the institution should have a dedicated trained spoke person that will respond to press interview, also develop comprehensive responses on any data breach and ensure the victims feel safe and that their data safety is being worked on.
Theft of institution equipment is something that is anticipated due to the high traffic that is on the premises. For a large institution such as Premier University, this should not have come as a surprise but rather something expected. A laid-out plan should be developed to ensure that theft does not cause more than the loss of the hardware. The data should be fully covered in the occurrence of such theft.
Vaidya, R. (2019). Cyber security breaches survey 2019. Department for Digital, Culture, Media, and Sport, 66.
Preteshbiswas. (2021, March 31). Example of laptop security policy. ISO Consultant in Kuwait. Retrieved September 12, 2021, from https://isoconsultantkuwait.com/2020/02/02/example-of-laptop-security-policy/.