A cyber response plan helps you prepare now for future cyber incidents. Your plan should be tailored to your:
- educational setting
- knowledge of cyber security
- available security resources
The following principles should be applied consistently throughout your cyber response plan. We have developed a template to help you create or improve your cyber response plan. It has guidance on preparing for and responding to cyber incidents and how these principles can be applied.
The purpose of a response plan
A cyber response plan should help you manage and respond to cyber incidents to:
- minimise harm
- restore services
- comply with legal and regulatory duties
Accompanying documents for your response plan
Make sure you know of other plans, policies or procedures that might be relevant to your response plan. These might include:
- disaster recovery plan for technical recovery
- business continuity plan for maintaining education delivery
- safeguarding policy for incidents involving students
- data protection and privacy policy for incidents involving potential loss of personal information
If these plans exist for your educational setting, make sure you refer to them and include them in your plan. You may want to think about how they work together and if there are other people who need to be involved.
The objectives of your response plan
List the objectives of the plan. They should include:
- detect and respond to cyber security incidents quickly and effectively
- contain and eradicate threats
- recover affected systems and data
- meet legal obligations, for example data breach notification to the ICO
- capture lessons learned
You may want to add other objectives related to your educational setting or set by your leadership team and set out what is and is not in the scope of your plan.
Preparing to handle incidents
There are different roles and responsibilities that need to be carried out during an incident. Your plan should set out who will be involved in a cyber response. A roles and responsibilities section can make clear:
- who should be involved and when
- roles and responsibilities for people involved
Make sure the people named in your plan can make decisions and take action. They will need to do things such as:
- decide when to escalate incidents to senior stakeholders
- take action and run an incident response
- identify when IT can contain an incident without having to contact other stakeholders
List who will be involved in your response and their responsibilities.
Communication
You should have a communication plan and pre-prepared communications you can use in an incident. We have guidance and templates for communications.
Have these prepared approved by stakeholders in advance and include them in your cyber response plan. Make sure they are saved somewhere you can access them if your IT fails.
Record keeping
Include templates in your plan and make sure they fit your organisation’s needs and capabilities. We have guidance on how to keep records during an incident.
Incident response process
Your plan should explain what happens in each step. You can customise the steps so they suit your educational setting. The incident response consists of the following stages and actions:
- Detection and reporting
- staff report incidents via email or helpdesk
- IT team detect or are alerted to potential incidents
- Triage and analysis
- assess severity and identify incident type
- initiate playbook if relevant
- Containment
- isolate affected systems and accounts
- Eradication
- remove the threat, for example malware removal
- Recovery
- restore from backup
- verify integrity
- Notification
- notify affected users
- notify the ICO if required
- Post incident review
- document what happened
- capture lessons learned
See our guidance on the process for responding to an incident.
Signing off your response plan
Once completed, the response plan must be approved and dated, noting who approved it and when it should next be reviewed.