break this up into 5 slides for a powerpoint presentation.. the order should be logical and engaging.
Question:
break this up into 5 slides for a powerpoint presentation.. the order should be logical and engaging. each slide should have bullet points/short sentences.
"Introduction
The purpose of this report is to develop a comprehensive plan to address and mitigate the damage caused by the recent data breach at The Astra Company ("Astra"). Astra is a public pharmaceutical company that distributes an FDA approved cancer treatment drug globally. Unfortunately, Astra has become a target of a data breach that has compromised sensitive data related to the company's prescription testing, as well as personal data belonging to employees and patients who participated in multiple trials. It has come to our attention that the security controls in place are inadequate and mostly likely gave rise to the attack. Upon further discovery, the main issues we're investigating at the Astra headquarters are the lack of security and surveillance, and employee guidelines that fail to safeguard the personal information of our customers, employees, and proprietary information. While we do not know exactly where this breach occurred, we have identified weak points within the Astra infrastructure both at the Astra Headquarters in Los Angeles and internationally at the Dublin and Tokyo offices. What follows is Astra's plan of action, otherwise known as the National Institute of Standards and Technology cybersecurity framework.
STEP 1: IDENTIFY
Astra is currently assessing the extent of the damage so that we can determine what data was stolen and the potential legal implications. Beyond alerting you, the Board, it is imperative that we also notify the Shareholders of Astra of the data breach. After our team ascertains the severity of the breach, affected parties should be notified of the swift steps Astra is taking to rectify the breach. Simply put: time is of the essence.
STEP 2: PROTECT
Unfortunately, Astra's vulnerabilities were exposed through a multitude of avenues/inlets. As part of Astra's swift response, we have alerted the authorities including the Los Angeles Police Department, with a police report filed. The local police have begun frequent patrols around our Los Angeles headquarters. Additionally, we have filed a report with the FBI's white-collar crime and Health Care Fraud divisions. As part of our efforts to enhance security, we have equipped each office with extensive surveillance mechanisms, including biometric security clearance (fingerprint scanners) for the Legal and Finance offices and any other offices that house Astra's high-security proprietary and patient or employee information. Beyond alerting the FBI and LAPD and pursuant to theHIPAA's Breach Notification Rule, 45 CFR 164.400-414, Astra has been in close communication with the Secretary of the U.S. Department of Health & Human Services and Federal Trade Commission.
STEP 3: DETECT
Currently, the details surrounding the cyber-attack that targeted Astra remain unknown. However, Astra remains steadfast in our efforts to pinpoint source of the breach. Conservative estimates indicate that the system has been compromised for the last ten months. As part of the response, Astra has taken proactive steps and implemented Solar Wind's Security Information Management System ("SIEM") to detect past and future threats. This is comprised of two practices. The first is the Security System Management which "involves collecting, normalizing, and analyzing log data from different sources across the network, including firewalls, servers, and anti-malware software." This feature offers real-time data from events and activity. The second, Security Event Management, "involves leveraging specific types of event data for real-time threat analysis visualization, and incident response" and alerts the company to "suspicious authentications or logins based on up-to-date lists of known bad actors."
Astra's security has been compromised and we have reason to believe this breach may have occurred either physically or virtually or both. The points of concern are threefold. First the current breach may have been facilitated by the lack of security at the front office and the failure to secure the doors to the Legal and Finance offices at our headquarters. Second, some employees, including the IT director in the Dublin office work remotely on personal and devices which is not in line with the new policies we have implemented. Third, Astra's existing threat-management system failed to detect unauthorized access and subsequently never sent alerts. Based on the initial review the breach may have occurred over the span of approximately ten months. Because of this, Astra will mobilize an crisis team consisting of IT, to implement a new threat management system. Part of this new system should include two-factor authentication.
STEP 4: RESPOND
As is widely known, Astra produces one of the best cancer treatment drugs on the market and is in competition with well-known therapeutics including CRISPR and CAR-T. The pharmaceutical industry houses some of the most personally identifiable information and HIPAA protected data including trial participants' information, adverse reactions, contact information, and medical records including imaging and pathology reports. Beyond patient information, employee information has also been compromised. This requires Astra notifying shareholders, involvement of general and outside counsel for reporting and regulatory compliance, employee compliance, IT experts, and various regulatory and criminal agencies. Lastly, a letter should address all affected patients and individuals by the breach.
Astra must have a comprehensive response plan that involves regulatory bodies and authorities of each entity. Crucial to the management of the breach is the timely and transparent notification of shareholders. Given the recent bank runs arising from Silicon Valley Bank, it is imperative to approach shareholders in a way that instills confidence in Astra's response. First Republic's letter to shareholders offers an insightful approach. The letter emphasizes the company's consistent profitability, shareholder valuation, and projected growth rate. Astra's letter should do the same and highlight Astra's resilience and further detail the remedial measures taken to address the breach. The ultimate objective is to reassure shareholders and bolster confidence in Astra Pharmaceuticals.
The General Counsel for Astra will be responsible for overseeing compliance to the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"). The CCPA and CPRA uphold consumer privacy rights and impose strict obligations to protect consumers' right to know what personal information businesses collect and how that information is used, to delete or correct that information, and the right to limit use and disclosure of sensitive personal information.
Astra's Outside Counsel will continue to oversee in international matters, specifically compliance with the General Data Protection Regulation ("GDPR") as well as jurisdiction-specific legal issues. As a global pharmaceutical company with location in Los Angeles, Dublin, and Tokyo, Astra must comply with the laws and regulations of each region. In Tokyo outside counsel will spearhead reporting and compliance with the Personal Information Protection Commission. Under the GDPR Outside Counsel will report the data breach within 72 hours to the relevant supervisory authority. This will ensure that Astra takes all the necessary steps secure the information that was illegally accessed. *Act on the Protection of Personal Informationf, communication, breach notification, forensic investigation
After conducting a thorough review of the employee handbook, we have determined that the current policy on remote work is not specific enough to prevent confusion or inconsistencies. Therefore, we will be working with the General Counsel to revamp the handbook, ensuring that it includes a detailed and exhaustive process for employees who wish to work remotely. The current employee handbook states that employees must "Contact Human Resources to discuss the employee being considered for this arrangement and cover any issues and/or concerns." This language is vague and insufficient to provide clear guidelines. In response, we have developed a comprehensive amendment to the current employee handbook that outlines the steps for employees and supervisors of those employees to follow in order to obtain approval to work remotely (Exhibit 1). Furthermore, employees in a supervisory capacity will be mandated to attend Leadership Training and all directors, supervisors and employees will be required to attend Company-Specific Compliance Training and obtain a HIPAA Security Training Certification. The Company-Specific Compliance Training aims to elucidate the compliance function including Astra's operations, offices, personnel, and activities within the organization that carry out compliance responsibilities. In addition to the support of the board, effective management, adequate funding, and outside audits of this compliance function, Astra should provide a five percent bonus incentive for compliant behavior. While some may argue that the cost of these bonuses will accumulate, we believe that the savings from avoiding legal expenses and forensic experts will offset these costs. With the support of the board, effective management, and adequate funding, we believe that this policy will lead to a more productive and compliant workforce.
It is crucial to notify all individuals directly affected by the breach, particularly patients. The main objective of the notification letter is to be transparent and provide reassurance that Astra has the situation under control. Although the letter should be informative, it should be straightforward and include details such as what occurred, what information was affected, what actions have been taken, and what the affected individual can do. Additionally, the letter should include contact information for more information and resources for the victims of the breach. Ultimately, the notification letter should convey to patients that Astra takes the breach very seriously and has taken all necessary steps to address the issue.
STEP 5: RECOVER
Astra has engaged the services of Edelman, a renowned public relations firm with extensive experience in the healthcare industry. Edelman serves notable clients including Pfizer, Astrazeneca, and Johnson & Johnson. Edelman provides a range of services however for our specific needs in respect to recovering from the breach, Astra would be utilizing the Crisis and Reputation Risk services and Reputational Recovery services. This includes reestablishing our brand narrative and positioning, influencer and advocacy programs, newsroom and social media content strategies, and most importantly, garnering trust from the public.
"
Organizational Behaviour Concepts Controversies Applications
ISBN: 9780134048901
7th Canadian Edition
Authors: Nancy Langton, Stephen P. Robbins, Timothy A. Judge