I read the other day that today is "Worldwide Backup Awareness Day." I have no idea who declares these days. I am guessing you already know you should have good backups and air-gapped backups.
However, I am taking the liberty of morphing this into more sophisticated forms of backups.
1 - Do you have a disaster recovery site? If you do, it is in the district? At BOCES? At the RIC? If you have one, when did you last try to run your district off your DR site? If your answer is either never or more than a year, why is that? Yes, it is terrifying to think you would consciously "pull the plug" on your production network and run the district off the DR site, but you must test this. If you haven't done it already, pick a day this summer and schedule a full DR test. Ideally, that test shouldn't be announced as you want real users doing real work vs. everyone taking the day off "because of limited access to the network."
2 - When did you last run a full test server restore? Your backups are your last line of defense. You need to know that they work. More and more cyber insurers ask you to do that monthly. If they haven't asked yet, they will. Do you have a plan?
3—When was the last time you pulled out your incident response plan? Doing #1 and #2 should force you to read and use it. If it is inaccurate, now would be the time to freshen it up.
Recently, I watched a webinar on post-mortem actions following real breaches. The speaker had been through many breach remediations. He said there are three responses to teams attempting to use their incident response playbooks.
- They don't know they have an incident response book.
- They look at it and say this is not accurate and discard it.
- They look at it and say it is not accurate, but they use it anyway as it is the best they have.
He said that the third group of people who use the incident response book and adapt it on the fly to address any variations that are not in the book have the best outcomes.
He reminds us that once you have gone through either a DR exercise or a true incident, in your post-mortem tasks, update the incident response book to your current network requirements using what you just learned.
If you need help with any of these IR/DR scenarios, please get in touch with us.
-Scott Quimby, CISSP
You must be logged in to post a comment.