Re: Please bear with me - this is an odd request ...

[Ben Marsden <bmarsden () SMITH EDU>]

I expect that institutions that have had a reportable breach have done some
immediate cost analysis associated with that event, but I've not heard of
any that have undertaken any concerted efforts to get at longer term costs
related to giving and enrollment.  I'd be very curious to hear about that.

I'd also like to hear about what costs were covered by any insurance
policies that may have been activated by a breach event, and any issues or
lessons learned relating to cyber liability insurance.

-- Ben


On Mon, Nov 26, 2018 at 2:39 PM Brian Basgen <brian_basgen () emerson edu>
wrote:

> Hi Chad,
>
>  Sounds like an interesting opportunity from an engaged board. :)
>
>  I suspect your easiest and best path is engaging a consultant who does
> remediation work. While it would be problematic to ask them to report on a
> past client for obvious reasons, I wonder if you could ask them to
> reconstruct some incident from a school similar to yours for which there is
> sufficient public information. If they've worked to remediate higher ed in
> the past, they could fill in some blanks prospectively and probably put
> together a pretty compelling story. It wouldn't be accurate without
> verification with the institution being researched, but a possible
> acceptable goal for your Board is for a theoretical scenario that is
> reasonable and realistic. That said, as you say, it would be an atypical
> request to make of a consultant, but I suspect you could find someone who
> would see it for what it is: as an interesting challenge!
>
> --------------
> Brian Basgen
> Associate Vice President, Information Technology
> Emerson College | 120 Boylston Street | Boston, MA 02116
>
>
>
> On Mon, Nov 26, 2018 at 12:32 PM Chad Tracy <ctracy () bates edu> wrote:
>
> > Hope everyone had a much deserved Thanksgiving break.
> >
> > I am three months into a newly created security position at an
> > institution that never had a dedicated person to fill the role. I have been
> > asked to put together a reading for the Board of Trustees regarding a case
> > study or some in depth description of a security incident that an
> > institution in higher education had and what the school did to right itself
> > and any sort of cost associated with it? The end game is to show the
> > members of the board the importance of this area. *There may be easier
> > ways to show the importance but I am sure some of you can probably raise
> > their hand to having to fulfill a request for the board... :) *
> >
> > Has anyone ever seen such a report or maybe even completed one
> > themselves? Maybe the report covered such things as:
> >
> > How the institution dealt with possible:
> >
> > reduced donations after the breach,
> > reputational damage (*I am not sure if this can be measured anymore...
> > are people becoming so desensitized by breaches that they just shrug them
> > off nowadays?*),
> > reduced enrollment.
> >
> > Costs of remediation:
> >
> > purchasing technology/services to remediate
> >
> > hiring of staff
> >
> > Thank you for your time and feel free to reach out offline either through
> > email or phone.
> >
> > Cheers,
> >
> > Chad
> >
> >
> >
> > --
> > Chad Tracy
> > Director of Information Security, Policy and Compliance
> > Bates College
> > 207 786-6491

-- 
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you
click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!