Incident response plans

  • 6 minutes

As an IT pro, it's part of your responsibility to plan for worst-case scenarios as you consider how your school would mitigate the effects of a cybersecurity incident. With the support of well-established incident response models, you'll plan how to best monitor, classify, and report cyber incidents within your school. In this unit, consider having your school's current Incident Response Plan (IRP) nearby to identify any strengths and areas for improvement.

Important

The actions you take in the hours and days following discovery of the incident are critical to your ability to recover, and key to maintaining the trust of your school community.

Having a plan in place is key. CISA recommends that school leaders and IT teams work with stakeholder groups to create, maintain, and exercise a basic cyber incident response plan that includes clear procedures to follow if there's a cyberattack.

Develop a cyber incident response plan

Although each school or district's incident response process may be different based on organizational structure and capabilities, or historical experience, consider this set of recommendations and best practices for responding to security incidents.

A diagram showing an example of a cycle for incident response plans including preparation, detection & analysis, containment, eradication, & recovery, and post-incident activity.

The first step is to have an incident response plan in place that encompasses both internal and external processes for responding to cybersecurity incidents. The plan should detail how your organization will:

  • Address attacks that vary in terms of risk and impact of the incident.
  • Define the purpose of the response, such as a return to instruction or to handle legal or public relations aspects of the attack.
  • Prioritize the work that needs to get done in terms of how many people should be working on the incident and their tasks.

During an incident, it's critical to:

  • Keep calm - Incidents are extremely disruptive and can become emotionally charged. Stay calm and focus on prioritizing your efforts on the most impactful actions first.
  • Do no harm - Confirm that your response is designed and executed in a way that avoids loss of data, loss of operational-critical functionality, and loss of evidence. Avoid decisions that can damage your ability to create forensic timelines, identify root cause, and learn critical lessons.
  • Involve your legal department - Determine whether they plan to involve law enforcement so you can plan your investigation and recovery procedures appropriately.
  • Be careful when sharing information about the incident publicly - Confirm that anything you share with your community is based on the advice of your legal department.
  • Get help when needed - Tap into deep expertise and experience when investigating and responding to attacks from sophisticated attackers.

Test the IRP

CISA recommends engaging in tabletop exercises to assess and enhance an organization's incident response readiness. Cybersecurity tabletop exercises are simulated scenarios designed to test your school's preparedness and response capabilities. They involve gathering key stakeholders, such as IT personnel, security teams, administration, and relevant departments, to participate in a facilitated discussion of a hypothetical cyberattack or data breach.

During a tabletop exercise, participants:

  • Review and analyze the simulated incident.
  • Discuss their roles and responsibilities.
  • Collaborate to develop strategies and response plans.

The exercise typically unfolds through a series of facilitated discussions and decision-making processes, allowing participants to identify strengths, weaknesses, and areas for improvement in their incident response procedures.

Additional resources

Several resources are available to help with your cyber incident response planning. Explore and save any of these documents.

Next steps

  1. Take a moment to read about how Fulton County Schools plan for any potential incident to keep their district secure. Then answer these questions:
    • What details from the story resonate with you?
    • Where do you identify their strengths? s
    • Where are their areas for improvement?
  2. Take some time to look through the K12 SIX Essential Cyber Incident Response Runbook. It's tailored specifically to the needs and context of K-12 organizations and includes guidance for coordination with internal and external partners, stakeholder communications, and management of student-initiated incidents. Use this resource to evaluate your school's preparedness and identify strengths and areas of opportunity.
  3. Explore or save links from CISA's collection of tabletop exercise packages.