RSN1 — RSN1 TASK 2: DEVELOPS SECURITY INCIDENT RESPONSE PLANS
Alysia Salaneck
College of IT, Western Governors University
Dustin Barker
January 12, 2026
, Report Purpose:
Sandhaven University (SU) is a private, nonprofit higher education institution located in California. SU should
incorporate recognized guidance from NIST specifications and sector advisories (CISA) to enhance SU's
preparedness, detection, containment, communication, and measurement practices (csrc.nist.gov).
EVENT #1
Data Exfiltration
Sandhaven University (SU) must include a specific data breach scenario in its incident response plan, with a strong
emphasis on data exfiltration. SU recently experienced a critical cybersecurity incident involving the exploitation of a
vulnerability CVE-2023-34362 in the MOVEit Transfer software. SU should include this in the incident response plan
because over the course of three months, SU experienced data theft.
The incident involved the exfiltration of both private student financial records and sensitive research data by a
foreign threat actor. To address this Data Breach incident, the Incident Response Plan would require the
implementation of Data Loss Prevention (DLP) tools and a Security Information and Event Management (SIEM)
program with rules to detect out-of-band network traffic. Upon detection, the plan would mandate containment by
blocking the malicious IP at the firewall and isolating the compromised server. Eradication would involve patching
the specific vulnerability and ensuring no backdoors remain, while recovery would focus on validating data integrity
from secure backups and rotating credentials to ensure business continuity.
Detection Tool
To address the root cause of limited network monitoring and inadequate edge firewall configurations, SU should
establish a Data Loss Prevention (DLP) solution as well as a Security Information and Event Management (SIEM)
system. A SIEM is a system that can gather and examine security information from Sandhaven University's servers,
applications, and networks, including logs and events
Detection Tool Details
A DLP will monitor private student financial records and faculty research data that the foreign actor targeted
explicitly in the MOVEit exploitation. The MOVEit exploitation could have been detected by the DLP tool, which
would have flagged the exfiltration of protected files as they attempted to traverse defined network boundaries. The
tool would have prevented the 90-day window of undetected activity by alerting IT staff as soon as the foreign actor
Alysia Salaneck
College of IT, Western Governors University
Dustin Barker
January 12, 2026
, Report Purpose:
Sandhaven University (SU) is a private, nonprofit higher education institution located in California. SU should
incorporate recognized guidance from NIST specifications and sector advisories (CISA) to enhance SU's
preparedness, detection, containment, communication, and measurement practices (csrc.nist.gov).
EVENT #1
Data Exfiltration
Sandhaven University (SU) must include a specific data breach scenario in its incident response plan, with a strong
emphasis on data exfiltration. SU recently experienced a critical cybersecurity incident involving the exploitation of a
vulnerability CVE-2023-34362 in the MOVEit Transfer software. SU should include this in the incident response plan
because over the course of three months, SU experienced data theft.
The incident involved the exfiltration of both private student financial records and sensitive research data by a
foreign threat actor. To address this Data Breach incident, the Incident Response Plan would require the
implementation of Data Loss Prevention (DLP) tools and a Security Information and Event Management (SIEM)
program with rules to detect out-of-band network traffic. Upon detection, the plan would mandate containment by
blocking the malicious IP at the firewall and isolating the compromised server. Eradication would involve patching
the specific vulnerability and ensuring no backdoors remain, while recovery would focus on validating data integrity
from secure backups and rotating credentials to ensure business continuity.
Detection Tool
To address the root cause of limited network monitoring and inadequate edge firewall configurations, SU should
establish a Data Loss Prevention (DLP) solution as well as a Security Information and Event Management (SIEM)
system. A SIEM is a system that can gather and examine security information from Sandhaven University's servers,
applications, and networks, including logs and events
Detection Tool Details
A DLP will monitor private student financial records and faculty research data that the foreign actor targeted
explicitly in the MOVEit exploitation. The MOVEit exploitation could have been detected by the DLP tool, which
would have flagged the exfiltration of protected files as they attempted to traverse defined network boundaries. The
tool would have prevented the 90-day window of undetected activity by alerting IT staff as soon as the foreign actor
