Elevating Security Awareness

Increasing the Relevance and Scalability of End-User Education

Topics: Information Technology, Information Security, IT Governance, Data Management

Hardwiring Breach Response

Worst of Both Worlds

Increased security awareness on campus can support a more efficient and controlled response, and preparing campus for a breach event will lead to greater awareness of risks and acceptance of necessary changes to policy.

IT teams that have experienced a breach event know that the first hours after incident notification will be hectic and confusing. The institution must organize internal responders, secure systems, contact all appropriate parties, set up crisis services, and collect key data all at once. Without a clear plan and organization in place, mistakes are made.

Airbrush the Rapid-Response Playbook

Nearly all institutions have conducted basic preparation in segmenting data and assigning ownership over key systems; however, few have made key roles and processes part of their breach response plan. Designating breach response leaders, creating distributed application whitelists, and tracking time to response can help even advanced organizations improve the efficiency and effectiveness of breach response.

Practice 1: Incident Managers

Ensure Focus and Authority for Fast Decisions

Single owners reduces lag to access experts, notify stakeholders

To make breach response efficient, controlled, and predictable, identify a pool of staff who will be prepared to make escalation, purchasing, and quarantine decisions during a breach. These incident managers oversee the entire workflow around breach response and are responsible for shift continuity, damage assessment, response team assembly, stakeholder notification, evidence collection, and an initial postmortem analysis.

Practice 2: Distributed Application Whitelisting

Pre-wire Unit-Level Containment Decisions

Focus on what stays on instead of what shuts down

Keep up with critical distributed applications without overburdening the security team by focusing on what will stay on during a breach instead of what will shut down. Compiling a list of top local applications outside of standard, enterprise-wide licenses can ensure continuity in local areas by insulating whitelisted applications from a system quarantine.

Practice 3: Time-to-Response Tracking

Measure Response to Reduce Breach Costs

Document process performance to streamline response

Operational efficiency during a breach is a significant driver of indirect expenses. To save on breach costs, improve the time to know a breach has occurred, understand root cause vulnerability, contain damage, and create a permanent solution. Comparing granular performance metrics of breach response to set benchmarks allows identification of areas for improvement and discovery of how different data and parts of campus respond differently to security incidents.

Representative uses of granular time-based metrics

Compare performance metrics at the level of data type (e.g., FERPA versus HIPAA) and unit type (e.g., academic department versus administrative office) to prioritize remediation at the level of process and understand where the “indirect” costs of data breaches are clustered.

The Challenge

Making Risks Relevant