CISA Step 5 -Develop and Exercise a Cyber Incident Response Plan

October 26th, 2023
CISA Step 5 -Develop and Exercise a Cyber Incident Response Plan

Today we continue with our series discussing the highest priority cybersecurity steps as identified in the January 2023 CISA published report “Partnering to SafeGuard K-12 Organizations from Cybersecurity Threats.” In that report, CISA suggested that schools start their Cybersecurity journey by implementing six of the Highest-priority security measures.

  • deploying multifactor authentication (MFA)
  • mitigating known exploited vulnerabilities (patching)
  • implementing and testing backups
  • minimizing exposure to common attacks
  • regularly exercising an incident response plan
  • implementing a strong cybersecurity training program

This bulletin will address Step 5 - Develop and Exercise a Cyber Incident Response Plan. To quote the CISA report

School and district leaders and administrators need to know how to respond to cyber incidents, including how to recover should adverse events occur. Every K–12 organization should establish and regularly exercise a written incident response plan (IRP), which should define what the organization needs to do before, during, and after an actual or potential security incident. It should include roles and responsibilities for all major activities and be approved by the most senior leader of the K–12 organization. Where possible, organization-level IRPs should be integrated into a district’s broader emergency operations plan. Successful teams rehearse their plans. Organizations should test their plans by hosting attack simulation exercises with the personnel identified in their IRP. Sometimes called “tabletop exercises” or “TTXs,” these simulations allow teams to prepare for the inevitable security incident during peacetime. The lessons learned from these exercises will allow the organization to update and strengthen their IRP as well as their policies, procedures, and even technologies.”

As we mentioned in a previous bulletin, this all sounds pretty straightforward on paper, but in the heat of the moment of discovery, things can get pretty confusing. In much the same way you have a plan for a physical emergency (fire, flood, tornado, etc.) a Cyber Emergency needs a plan as well. Going through the steps outlined in the linked CISA document and creating an Incident Response plan that outlines exactly what will happen, who will be involved, who will be notified, and what order containment and remediation steps will occur can bring much-needed clarity and focus to what is sure to be a stressful situation. Should a Cyber Emergency occur, many people within the school district would be involved, starting with the Superintendent. You certainly wouldn’t want anyone answering reporters or Law Enforcement questions who weren’t approved by the Superintendent. That is why it is so important for upper-level management, along with your Tech Director and other operations stakeholders, to work on this plan before anything happens. The time to identify who should be involved and in what way, is BEFORE the worst happens.

Helpful Link from CISA on guidance for Incident Response Planning

This week’s suggestion:

  • Talk to your Superintendent and Tech Director about whether you have an Incident Response Plan (IRP) and if you do, do you schedule “tabletop exercises” to rehearse the plan

Next week’s bulletin will discuss “CISA Step 6 – Training and Awareness"

If you would like more information or help with developing an Incident Response Plan or navigating the NIST CSF journey, please contact Lisa MacDougall at or call 845.897.9480.