The Importance of Incident Response Plans in Higher Education
When Blackbaud released details of its May 2020 data breach, it left many higher learning institutions wondering what breach notifications they’re required to, or should, make. The confusion surrounding notification requirements in accordance with the Federal Trade Commission (FTC) and the Gramm-Leach-Bliley Act (GLBA) left institution management reacting, not responding. The Blackbaud breach and other recent events brought to light the need for a comprehensive incident response plan. The goal of incident response is to help reduce damage to the institution and those whose financial data is being stored and maintained by the institution. In addition to the standard defined protocols to declare and respond to incidents, the institution’s program should have detailed procedures relating to the initiation of customer notification and assistance activities consistent with laws, regulations, and Department of Education guidance.
The GLBA addresses the requirement of “responding to attacks,” but regulatory requirements shouldn’t be the only concern. One thing is certain: The speed of recovery through establishing a detailed incident response plan, formal testing, and well-trained response teams saves money. According to the most recent “Cost of a Data Breach Report” published by IBM Security and the Ponemon Institute, organizations with incident response plans that include trained response teams and tabletop testing saved an average of $2 million over those without.
For a response plan to be effective, institutions must be able to identify a breach to contain it. Automated systems that aid in monitoring and detecting anomalies and other activity that could be deemed malicious is vital. According to the 2020 “Cost of a Data Breach Report,” higher education institutions on average take 212 days to identify a breach. In addition to those seven months, institutions spend another 71 days to remediate the breach for a total of nearly nine and a half months. Let that sink in for a moment. Would that ever be considered satisfactory in your institution?
While the depth of an incident response plan will vary based on an institution’s size and complexity, below are some basic steps to get your incident response plan initiated:
- Establish an incident response team. Coordinate efforts among your institution’s various departments or roles to determine the team members. This process should include the CEO, CISO, head of IT, legal personnel, human resources, and management from key departments.
- Select a leader for the incident response team, and identify the senior management team members who can declare an incident. The CISO, CEO, and CIO are typical leaders of this group.
- Outline a structure of internal reporting to help ensure executives and all response team members are up to date and on track during a data breach.
- Clearly define steps, timelines, and checklists to keep the team focused during the stress of a data breach.
- Conduct preparedness exercises for the incident response team.
- Ensure tabletop testing and other response exercises include more than just IT. Effective incident handling capability includes coordination among many organizational entities, e.g., mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive.
One key mistake in an incident response plan is to assume this is only an IT function. While IT plays a critical role, the institutional machine must stay in motion. Each department should understand its individual role following a breach and have alternative plans in place to meet its business obligations.
Since higher learning institutions are considered financial institutions according to the FTC, a great resource for items related to IT security is the Federal Financial Institutions Examination Council (FFIEC). The FFIEC produces a series of free IT booklets available for download. Section III.D of the Information Security Booklet specifically addresses incident response.
Need more help? Consider our wide range of cyber services that include assistance with GLBA compliance and other issues facing higher education. To connect with a BKD Trusted Advisor™, fill out the Contact Us form.