Oct 10 2022
Security

How to Create a Higher Ed Incident Response Playbook

Having a detailed incident response plan can help universities stay vigilant against cyberthreats.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Most universities have incident response playbooks, but these plans are often taken for granted. With so many cybersecurity and technology issues to tackle, IT shops sometimes create incident response plans, then forget about them. That could be a big mistake.

A university’s incident response playbook is the most important foundational document driving its incident response management activities. Outdated plans and plans that don’t reflect your current approach to incident handling can slow the detection of complex threats and data breaches, allowing preventable damage to occur and delaying the restoration of normal operations. Up-to-date, robust incident response plans also are often required to obtain cyber insurance.

Whether you want to make sure your existing plan still meets your university’s needs or you’re looking to create a new incident response plan, here’s what you need to know about what it should contain and how it should be implemented.

NCSAM visual sidebar graphic

Related Content:

Learn what's driving the need for improved incident response in higher ed.

5 questions to ask when creating a computer security incident response team.

Download the checklist for a step-by-step guide to creating an incident response playbook. 

What Are Incident Response Policies and Plans?

Your incident response plan should be based on your incident response policy. An incident response policy defines key terms, including what constitutes an incident, and establishes time frames and priorities for reporting and responding to incidents. The policy also explains all roles and responsibilities related to incident response, including the responsibility of end users to report suspicious activity they witness. An incident response policy is short and it should be updated infrequently.

Your incident response plan should explain at a high level how your university’s incident response activities will be performed to implement the policy. The plan should also explain how incident response relates to other programs and efforts, such as contingency planning, and should provide a roadmap for improving the incident response capability over time. The National Institute of Standards and Technology has free guidance on what an incident response plan should contain.

Finally, both the policy and plan should reflect leadership’s commitment to incident response and its importance to the university community. Incident response helps protect everything from personally identifiable information to research notes, intellectual property and other confidential material. It supports the university’s students, faculty and staff, university partners, and the larger community.

READ MORE: Universities share lessons learned from ransomware attacks.

What Should Go Into an Incident Response Playbook?

An incident response playbook should document incident response activities in detail that allows a budget to be created to support them. Funding should include the people, processes and technology needed to execute the plan.

Most funding related to people is typically for incident responders, whether they’re part of the university or third parties, who provide 24/7 incident monitoring, analysis and handling capabilities. However, there are other noteworthy budget items related to people, including:

  • Training for incident responders, including the use of various specialized tools and techniques for forensic investigation and system recovery
  • Training for security operations center personnel, IT support staff and others who may receive incident reports or personally observe suspicious activity
  • Awareness for end users on how to spot incidents, how to report them and what to do (for example, powering off a computer infected with ransomware)

Click the banner below to learn how to strengthen your team's security strategy.

NCSAM 2022 banner NCSAM 2022 banner — mobile

Processes are often overlooked when it comes to incident response budgeting. It’s important to have funding for the development and maintenance of documented procedures for handling common situations.

For example, a university should have defined processes and procedures for incident-related communications, including reporting data breaches and interacting with affected parties, sharing incident information with other universities, and coordinating with law enforcement when appropriate.

Universities rely on playbooks to guide their incident responders in emergency situations. This helps ensure that incidents are handled correctly.

Most of the technologies useful for incident response are also beneficial in other ways, so they might not be specifically covered by the incident response budget. Examples of such technologies include:

  • Continuous monitoring for networks and systems
  • Centralized logging and log analysis, with automated reporting of suspicious activity
  • Network security controls for automatically isolating infected or compromised devices
  • Vulnerability management systems, including patch and configuration management
  • Anti-malware and anti-phishing tools
  • Help desk ticketing systems that can also be used for incident tracking

There are some technologies specific to incident response that the budget should cover including software, hardware and removable media for performing forensics on individual devices. Specialized software may also be needed for network forensic purposes.

LEARN MORE: How to lower higher ed cyber insurance premiums.

How Should an Incident Response Playbook Be Maintained?

Incident response plans should be reviewed and updated periodically — at a minimum, once a year — and always revisited when the university’s incident response policy is updated. The plan’s implementation should also be assessed regularly to identify areas for improvement.

Assessments should have at least two components: an analysis of recent incident responses to identify issues and trends that may necessitate updates to the plan or implementation, and periodic exercises or tests of the plan in different incident scenarios. At the core of maintaining these documents and processes is a qualified and skilled cyber incident response team.

Exercises and tests bring together people, processes and technology, and they can be incredibly valuable for identifying shortcomings and providing hands-on training for incident responders and others participating in these activities.

Of course, the incident response policy, plan, and plan implementation should all be updated as appropriate to reflect the lessons learned from incident response analysis, exercises and tests. This should make future response efforts go more smoothly, reduce damage and restore normal university operations more quickly.

Bookmark this page for more security stories during National Cybersecurity Awareness Month.

Nuria Seguí/Stocksy

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now