Skip to main content

Incident Response Management: IR Capability Planning

Security Domain

CIS Control 17 – Incident Response Management
NIST CSF – Response: Incident Management (RS.MA), Incident Analysis (RS.AN), Incident Response Reporting and Communication (RS.CO), Incident Management (RS.MI)
NIST 800-53 – Incident Response

What Is Incident Response?

Incident Response is the collective effort taken by an organization to minimize damage, reduce downtime, and restore normal operations as quickly as possible after an incident occurs. Overall, this works to help create, provision, and operate an organization’s incident response capability. NCDPI divides this process into 2 pieces to better understand the required actions and responsibilities: Incident Response Capability Planning and Incident Response Handling.

Incident Response Capability

Incident Response Capability focuses on the preparation and planning required to ensure your organization is protected and prepared in the event of an incident. This include coordinating among local, state, and federal partners and assisting PSUs in performing the technical and business preparation steps.

Service Description

K-12 Cybersecurity Program Core Teams providing Incident Response Capability Planning services

The NCDPI K-12 Cybersecurity Program team recognizes the growing challenges that PSUs face concerning cybersecurity; encompassing data breaches, ransomware, and third-party compromises. Alongside prevention and detection efforts, a robust incident response (IR) plan is essential for PSUs to effectively respond and recover from cybersecurity incidents.

The NCDPI K-12 Cybersecurity Program proudly presents the PSU Incident Response Toolkit, a comprehensive set of incident response templates and resources, collaboratively developed by the program and its partners. These invaluable resources offer practical strategies for PSU teams to efficiently respond to incidents, minimizing the impact on their learning and working environment.

The PSU Incident Response Toolkit has four essential components, to equip PSUs with the tools and knowledge to effectively detect, respond to, and recover from cyber incidents. The toolkits components include Incident Response Guidelines, Policy, Plan, and Procedures.

Products and Services

Key Benefits

  • Incident Response Capability – Developing your PSU organizational Policy, Plan, and Procedures for IR
  • Incident Prevention – Preventing problems is often less costly and more effective than reacting to them after they occur
  • Predetermined Communication Guidelines – Ensuring only the appropriate information is shared with the right parties at the right time
  • Incident Handling SOPs for Common Attack Vectors – PSU should develop general processes for handling incidents caused by common attack vectors
  • Incident Detection and Analysis – Establish PSU logging standards and procedures to ensure adequate information is collected and it is reviewed regularly
  • Guidelines for Incident Prioritization – PSUs should prioritize incidents based on relevant factors like functional impact, informational impact, and recoverability
  • Lessons Learned Process – Post mortem to review effectiveness of IR handling process and identity improvements in cybersecurity controls and practices

Cost to PSUs

No cost – funded by NCDPI

PSU Time Commitment

Upfront/Setup: Varies depending on the scale and scope of the IR engagement (e.g. 2 hours for overview and brief TTX, 3-5 hours for in-depth TTX, 2-4 hours IR plan review)
Ongoing: Annual IR Plan review and TTX

How to get this service

If you are interested in any of or have questions about the the Proactive Incident Response services, please contact the K-12 Cybersecurity Program team at k12cybersecteam@dpi.nc.gov.

Key Resources