Educause Security Discussion mailing list archives
Re: External Incident Notification Involving a Constituency
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Wed, 30 Oct 2019 18:24:56 +0000
We handle third-party breach notifications two ways. All breaches involving current students, faculty or staff are posted to our News and Alerts site where the community can "self-serve" for information. We give the basic information about what was exposed and point users toward the correct website or contact information to follow up. For breaches involving clear-text or weakly encrypted passwords, we send email notifications to all affected individuals. The primary reason is the almost certainty of password reuse. This reasoning was confirmed after the Chegg breach when we had more compromised accounts in two weeks than we had had for the previous two years. Again, this is only for current students, faculty, and staff, not alumni or retirees. Our primary goal is to protect college assets that only active community members would have access to. Our email is on O365, so we let Microsoft deal with all other constituents. Dan Daniel H. Boyd (94C) Director of Information Security Office for Information Technology Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 https://infosec.berry.edu<https://infosec.berry.edu/> There are two rules to follow with your account passwords: 1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!) 2. If unsure, consult rule #1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W. Sent: Wednesday, October 30, 2019 2:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] External Incident Notification Involving a Constituency CAUTION: This email originated from outside of the Berry College organization. Do not click links or open attachments unless you know the content is safe. Email infosec () berry edu<mailto:infosec () berry edu> if in doubt. Afternoon, For those that do a notice of breaches of other entities, that involve your constituents, why? We have a little bit of a debate here as to IF, HOW OFTEN, and/or HOW we notify for breaches of third party systems that release information pertaining to us. If you do, why? If you don't, why not? I have a short list of why or why not, but I would like to hear from others. Has anybody found a best practice on the subject? Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- External Incident Notification Involving a Constituency Barton, Robert W. (Oct 31)
- Re: External Incident Notification Involving a Constituency Boyd, Daniel (Oct 31)