Republic of the Philippines

NUEVA ECIJA UNIVERSITY OF SCIENCE AND

Cabanatuan City, Nueva Ecija, Philippines
ISO 9001:2015 CERTIFIED

COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY

Names 1. Sawit, Vanessa Jane DC. Year and Section: 3B

2. Pagulayan, Kimberly Y.

Directions. Analyze the given case and answer the following questions. (50 points)
1. What was the case all about? (5 points)
- The case study is all about the issue of data breaches in TKU University. Because of
the data breach at the university, a number of students’ lost personally identifiable
information.
2. What is the main problem presented in the case? (5 points)
- The main problem presented in the case is a data breach at a university caused by
lax security policies and includes an element of social engineering. The data breach
at the university resulted in a number of students losing personally identifiable
information. The resulting aftermath placed a significant financial burden on the
university as it was not prepared to handle an information security disaster.

3. What are the solutions or countermeasures offered/discussed in the case? (5 points)

- One significant problem is the lack of a security figurehead. The solution offered in
the case study is to have a chief security officer, the cases of sharing and giving
passwords over the phone, writing them down are clear violations of access control
best practices. Therefore, TKU should make sure that all workers receive the
appropriate training in order for them to be aware of security threats. Since there
are constantly new threats, it is ideal for this training program to be renewed.

4. Identify and discuss an alternative solution you can think of. Please focus on the
problem at hand. (15 points)
- High-profile data breaches serve as a reminder to everyone that data security is a
primary concern for companies. We have an alternative solution for data breaches.
First is Asset Inventory. You will have a better knowledge of your organization's
security posture if you have visibility into the hardware and software assets that are
present in your network and physical infrastructure. The dangers and vulnerabilities
that your assets might face can be categorized and rated using an asset inventory.
You can more effectively prioritize the remediation activities that will be made on
these assets by categorizing and ranking these vulnerabilities. Endpoint protection is
now a top priority because of data breaches. Simply said, antivirus is insufficient to
stop a significant data intrusion. In reality, if you only use anti-virus protection, your
endpoints, such as computers and laptops, would be left open to attack. Your PCs
and laptops could end up being a key entry point for breaches. Encryption is used to
avoid data loss and leakage, and standardized data protection standards are
enforced across all of your servers, networks, and endpoints, lowering the likelihood
 of a data breach. Second is Vulnerability and Compliance Management. You can find
the holes, weak points, and security misconfigurations in your physical and virtual
environments by using a vulnerability and compliance management (VCM) solution,
or at the very least by finishing a vulnerability assessment. VCM can continuously
check your infrastructure and IT assets for flaws in compliance, configuration best
practices, and vulnerabilities. Some advantages that will lessen the likelihood of a
data breach include enabling your security team to comprehend the environment's
security susceptibility threats, i.e. Threat landscape, as well as priorities for what
needs to be fixed. A good VCM will enable you to design a plan of action to address
these vulnerabilities and delegate them to the proper staff members. Last is Train
and Educate your Staff. You can then impose a documented employee policy on data
privacy and security after finishing your security policy audits. People cannot
voluntarily comply with policies they are unfamiliar with, so you should organize
frequent security trainings to ensure that all staff are aware of these newly
developed policies. You can then impose a documented employee policy on data
privacy and security after finishing your security policy audits. People cannot
voluntarily comply with policies they are unfamiliar with, so you should organize
frequent security trainings to ensure that all staff are aware of these newly
developed policies.

5. After reading and analyzing the given case, what conclusion or generalization can you
make? (10 points)
- The top information technology (IT) essential skill that has to be taught in
information systems (IS) curricula is security and disaster training. As a result,
information security and privacy have evolved into central ideas in the study of
information systems. It is always challenging to provide IT security on a tight budget,
and many small colleges struggle to strike a balance between cost and efficacy.
Therefore, it is not unexpected to discover that the bulk of data breaches since 2005
occur in educational settings. Many schools and universities have extra security
issues, such as flexible working environments, less defined policies and processes,
and staff that "wear many hats." In order to prepare future employees, it is crucial
that this segment—i.e., educational settings—be represented in class discussions. To
that purpose, we now describe a scenario involving a social engineering component
and a data breach at a university brought on by insufficient security procedures. The
university's data breach caused the loss of personally identifiable information for a
number of students. The university was unprepared to tackle an information
security disaster, thus the aftermath put a heavy financial load on it. Due to the way
it specifically depicted a data breach in a university setting, this case can be used as a
teaching tool. The case's readers will note that a number of issues regarding the
university's security culture and the management of the security function were
brought up at the management level. The situation also raises concerns about access
restriction and a lack of training.

6. What are the recommendations that you can offer? (10 points)
- Data security needs to be a high priority for all organizations. Although major
merchants and healthcare institutions are frequently mentioned in the news for
data breaches, all sectors are susceptible to security risks. It's time to review your
data security procedures if your company is undergoing a digital transformation to
cope with the quick changes in our environment. To make sure your company—and
data—are protected, it's always a good idea to audit your data security, even if you
haven't invested in any new technology or processes. Here are four
recommendations for enhancing data security and better protecting data from cyber
threats and hackers. First is an Improved password across the organizations. For
data security, strong passwords are crucial. But many businesses have trouble
enhancing this aspect of data protection. Even though 59% of individuals "usually or
always" use the same password, 91% of people are aware that doing so puts their
security at risk. Second is Encrypt data at all times. Your data may be further
protected and defended via data encryption. It protects data privacy when it is sent
over the internet and kept in a database. Your data is exposed to cyber-attacks and
data hacks if there is no data encryption. Third, Use software that understands
compliance regulations within your industry. Most businesses gather a lot of
personally identifiable data, including passwords, names, addresses, and phone
numbers. Even more private data, such credit card numbers, social security
numbers, and license information, may be gathered by some. Lastly, Enforce strong
security standards. It takes effort, persistence, and knowledge to change how
employees establish passwords, safeguard data, and utilize technologies. Employees
must be regularly trained on the value of data privacy and security standards if we
want the necessary adjustments to become habits.