ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)

A Sample Cybersecurity Preparedness Plan for Learning Institutions

Introduction
Purpose
This document describes the overall plan for responding to information security incidents at a learning
institution. It defines the roles and responsibilities of participants, characterization of incidents, and
reporting requirements. The goal of the Cybersecurity Preparedness Plan is to detect and react to
computer security incidents, determine their scope and risk, respond appropriately to the incident,
communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from
reoccurring.

Scope
This plan applies to the Information Systems, Institutional Data, and networks of the school and any
person or device who gains access to these systems or data.
Maintenance
The institution’s Information Security Office (ISO) is responsible for the maintenance and revision of this
document.

Authority
The ISO is charged with executing this plan by virtue of its original charter and various policies such as the
Computing Policy, Information Security Policy, and HIPAA Policy.

Definitions
Event
An event is an exception to the normal operation of IT infrastructure, systems, or services. Not all events
become incidents.

Incident
An incident is an event that violates the Computing Policy; Information Security Policy; other school policy,
standard, or code of conduct; or threatens the confidentiality, integrity, or availability of Information
Systems or Institutional Data.

1
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
Personally Identifiable Information (PII)
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first
name or first initial and last name in combination with one or more of the following data elements:
 Social security number
 State-issued driver’s license number
 State-issued identification card number
 Financial account number in combination with a security code, access code or password that
would permit access to the account
 Medical and/or health insurance information

Roles and Responsibilities

The Cyber security Preparedness process incorporates the Information Security Roles and Responsibilities
definitions and extends or adds the following Roles.

Incident Response Coordinator

The Incident Response Coordinator is a cybersecurity specialist who is responsible for assembling all the
data pertinent to an incident, communicating with appropriate parties, ensuring that the information is
complete, and reporting on incident status both during and after the investigation.

Incident Response Handlers

Incident Response Handlers are employees who gather, preserve and analyse evidence so that an incident
can be brought to a conclusion.

Users
Users are members of the school community or anyone accessing the School Management System,
Learning Management System, Institutional Data or networks who may be affected by an incident.

Law Enforcement
Law Enforcement includes the institution’s security force, federal and state law enforcement agencies
that present warrants or subpoenas for the disclosure of information.

Cybersecurity Preparedness Phases

The basic incident process encompasses six phases: preparation, detection, containment, investigation,
remediation and recovery.

2
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
Preparation
Preparation includes those activities that enable the cybersecurity personnel to respond to an incident.
Preparation also implies that the affected groups have instituted the controls necessary to recover and
continue operations after an incident is discovered. Post-mortem analyses from prior incidents should
form the basis for continuous improvement of this stage.

Detection
Detection is the discovery of the event with security tools or notification by an inside or outside party
about a suspected incident. This phase includes the declaration and initial classification of the incident.

Containment
Containment is the triage phase where the affected host or system is identified, isolated or otherwise
mitigated, and when affected parties are notified and investigative status established. This phase includes
sub-procedures for seizure and evidence handling, escalation, and communication.

Investigation
Investigation is the phase where cybersecurity personnel determine the priority, scope, and root cause of
the incident.

Remediation
Remediation is the post-incident repair of affected systems, communication and instruction to affected
parties, and analysis that confirms the threat has been contained. The determination of whether there
are regulatory requirements for reporting the incident (and to which outside parties) will be made at this
stage. Apart from any formal reports, the post-mortem will be completed at this stage as it may impact
the remediation and interpretation of the incident.

Recovery
Recovery is the analysis of the incident for its procedural and policy implications, the gathering of metrics,
and the incorporation of “lessons learned” into future response activities and training.

Guidelines for the Incident Response Process

In the process of responding to an incident, many questions arise and problems are encountered, any of
which may be different for each incident. This section provides guidelines for addressing common issues.
The Incident Response Coordinator and Director of Information Security should be consulted for questions
and incident types not covered by these guidelines.

3
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
Denial-of-Service Attacks
Denial-of-service attacks are designed to disrupt or degrade online learning services such as zoom
sessions, and learning management systems (LMS).

If a learning institution wish to increase their ability to withstand denial-of-service attacks, they should,
where appropriate and practical, implement the following measures prior to any denial-of-service attacks
beginning:

 Determine what functionality and quality of service is acceptable for online learning services, how
to maintain such functionality, and what functionality can be lived without during denial-of-
service attacks.
 Discuss with service providers the details of their denial-of-service attack prevention and
mitigation strategies. Specifically, the service provider’s:
o capacity to withstand denial-of-service attacks
o any costs likely to be incurred by the school resulting from denial-of-service attacks
o thresholds for notifying the institution or turning off their online services during denial-
of-service attacks
o pre-approved actions that can be undertaken during denial-of-service attacks
o Denial-of-service attack prevention arrangements with upstream providers (e.g. Tier 2
service providers) to block malicious traffic as far upstream as possible.
 Protect the institution’s domain names by using registrar locking and confirming domain
registration details (e.g. contact details) are correct.
 Ensure 24x7 contact details are maintained for service providers and that service providers
maintain 24x7 contact details for the school.
 Establish additional out-of-band contact details (e.g. mobile phone number and non-
organisational email) for service providers to use when normal communication channels fail.
 Implement availability monitoring with real-time alerting to detect denial-of-service attacks and
measure their impact.
 Partition critical online services (e.g. zoom sessions) from other online services that are more
likely to be targeted (e.g. school website).

4
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
 Pre-prepare a static version of a website that requires minimal processing and bandwidth in order
to facilitate continuity of service when under denial-of-service attacks.

Data breach, Ransom ware, Phishing and other attacks

The school’s incident response team needs to do the following to prepare for data breaches and other
security incidents like malware.

 Data: Quickly determine what data and resources can be compromised or stolen and what critical
learning processes can affected. The response team also need to analyse any learning or
management systems that can be compromised with malicious software and determine its intent
and to glean logs, and transactions.
 Compliance: Review what regulatory requirements need to be addressed. Because of the dwell
time for most breaches, all critical data and logs will need to be saved off-line for a minimum of a
year.
 Authorities: Determine whether you need to contact the authorities, including federal law
enforcement and regulatory bodies. This is especially critical for organizations bound by
regulatory requirements. GDPR, for example, can exact significant fines for failure to report an
incident in a timely manner.
 Evidence: Preserve evidence in case the incident becomes a legal issue. Law enforcement should
have already been included in your preparation and planning, so steps for preserving the crime
scene should already be part of your response plan so that any evidence is admissible in a court
of law. Bringing in a digital forensic team will help standardize this process and capture critical
evidence following strict legal guidelines.
 Quarantine and Redundancy: Because impacted systems will likely need to be quarantined,
redundant systems need to be available so that forensic analysis can take place. Quarantine
capabilities are important to avoid spread.
 Trace Attack Chain: Tools need to be in place that enables you to trace an attack path back to its
point of entry. This will require determining the malware used and the dwell time of the attack.
Once the attack chain and malware have been identified, every device along the attack path will
need to be analysed. Incidents of compromise (IOCs) will need to be used to identify other devices
that may have been compromised.

5
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
 Training: teachers, students, parents and other school staff, need to be cyber-aware and trained.
Rarely do security incidents not affect the broader employee base. In addition, training will help
facilitate proper response and could help with preventing incidents.

Insider Threats
An insider threat is a threat to the learning institution that comes from negligent or malicious insiders,
such as teachers, students, contractors, third-party vendors, or business partners, who have inside
information about the schools cyber security practices, sensitive data, and computer systems. These
threats may involve fraud, theft of confidential or commercially valuable information, theft of intellectual
property and trade secrets, sabotage of security measures, or misconfiguration of student grades.
In the case of an insider threat the following should be done:
 In the case of an insider threat where a particular Incident Response Handler is a person of interest
in an incident, the Incident Response Coordinator will assign other Incident Response Handlers to
the incident.
 In the case that the Incident Response Coordinator is a person of interest in an incident, the
Director of Information Security will act in their stead or appoint a designee to act on their behalf.
 In the case that the Director of Information Security is a person of interest in an incident, the Chief
Information Officer (CIO) will act in their stead or appoint a designee to act on their behalf.
 In the case that another school administrative authority is a person of interest in an incident, the
information security officer will work with the remaining administrative authorities.

Interactions with Law Enforcement

All communications with external law enforcement authorities are made after consulting with the school’s
security department.
The ISO works with the local Police, to determine their information requirements and shares the minimum
necessary information as required for incident response.

Communications Plan
All public communications about an incident or incident response to external parties outside the
institution are made in consultation with Chief Information Security Officer and the school’s Media
Relations. Private communications with other affected or interested parties contain the minimum
information necessary. The minimum information necessary to share for a particular incident is

6
ADVANCED CYBERSECURITY TRAINING FOR TEACHERS (ACTT)
determined by the Incident Response Coordinator and the Director of Information Security in consultation
with the institution’s administrative authorities.

Privacy
The Computing Policy provides specific requirements for maintaining the privacy of the school affiliates.
All incident response procedures will follow the current privacy requirements as set out in the Computing
Policy. Exceptions must be approved by school’s administration.

Documentation, Tracking and Reporting

All incident response activities will be documented to include artifacts obtained using methods consistent
with chain of custody and confidentiality requirements. Incidents will be prioritized and ranked according
to their potential to disclose restricted data. As an investigation progresses, that ranking may change,
resulting in a greater or lesser prioritization of resources.
Incidents will be reviewed post-mortem to assess whether the investigational process was successful and
effective. Subsequent adjustments may be made to methods and procedures used by the Information
Security Officer and by other participants to improve the incident response process.
Artifacts obtained during the course of an investigation may be deleted after the conclusion of the
investigation and post-mortem analysis unless otherwise.

Escalation
At any time during the incident response process, the Incident Response Coordinator and the Director of
Information Security may be called upon to escalate any issue regarding the process or incident. The
Incident Response Coordinator and Director of Information Security will determine if and when an
incident should be escalated to external authorities.

Conclusion
The goal of a cyber-security preparedness plan is to include making response and remediation strategies
as strong as possible. The best way to achieve that goal is to ensure that the right people, processes and
technology are all aligned accordingly