Incident Response Management: IR Capability Planning

Incident Response Capability

Incident Response Capability focuses on the preparation and planning required to ensure your organization is protected and prepared in the event of an incident. This include coordinating among local, state, and federal partners and assisting PSUs in performing the technical and business preparation steps.

Service Description

The NCDPI K-12 Cybersecurity Program team recognizes the growing challenges that PSUs face concerning cybersecurity; encompassing data breaches, ransomware, and third-party compromises. Alongside prevention and detection efforts, a robust incident response (IR) plan is essential for PSUs to effectively respond and recover from cybersecurity incidents.

The NCDPI K-12 Cybersecurity Program proudly presents the PSU Incident Response Toolkit, a comprehensive set of incident response templates and resources, collaboratively developed by the program and its partners. These invaluable resources offer practical strategies for PSU teams to efficiently respond to incidents, minimizing the impact on their learning and working environment.

The PSU Incident Response Toolkit has five essential components, to equip PSUs with the tools and knowledge to effectively detect, respond to, and recover from cyber incidents. The toolkits components include Incident Response Guidelines, Policy, Plan, Procedures, and Playbooks.

Program Services & Resources

• 2025 PSU Incident Response Toolkit (Guidelines, Policy, Plan, Procedures, and Playbooks)
  • Note: Link is a Google forced copy document
• 2025 PSU Incident Response Automation Form
• Table Top Exercises

Delivery Mechanisms

The IR toolkit will have two delivery methods for the user’s convenience:

PSU IR Toolkit Single Document

• Consolidates 12+ separate IR documents into a single IR Toolkit structure format, leveraging Google Document Tabs.
• Google Docs features an new organizational layer called tabs. Docs allows users to create one or more tabs within a single document, similar to how there are tabs in Sheets today. Each tab has its own title and ID (appended in the URL). A tab can also have child tabs, which are tabs that are nested beneath another tab.

go.ncdpi.gov/PSU-IR-Toolkit

PSU IR Toolkit Generation and Autofill

• The 2025 PSU IR Toolkit will be released with an option to be generated with customized inputs from users
• Upon completion of a Google Form with questions pertaining to key IR Toolkit sections, a Toolkit folder/document will be generated and shared
• This method aims to dramatically reduce user error and time commitment in completing the personalized inputs for each PSU reviewing the toolkit.

PSU IR Toolkit Generation Form

Key Benefits

• Incident Response Capability – Developing your PSU organizational Policy, Plan, and Procedures for IR
• Incident Prevention – Preventing problems is often less costly and more effective than reacting to them after they occur
• Predetermined Communication Guidelines – Ensuring only the appropriate information is shared with the right parties at the right time
• Incident Handling SOPs for Common Attack Vectors – PSU should develop general processes for handling incidents caused by common attack vectors
• Incident Detection and Analysis – Establish PSU logging standards and procedures to ensure adequate information is collected and it is reviewed regularly
• Guidelines for Incident Prioritization – PSUs should prioritize incidents based on relevant factors like functional impact, informational impact, and recoverability
• Lessons Learned Process – Post mortem to review effectiveness of IR handling process and identity improvements in cybersecurity controls and practices

PSU Time Commitment

Upfront/Setup: Varies depending on the scale and scope of the IR engagement (e.g. 2 hours for overview and brief TTX, 3-5 hours for in-depth TTX, 2-4 hours IR plan review)
Ongoing: Annual IR Plan review and TTX

How to get this service

If you are interested in any of or have questions about the the Proactive Incident Response services, please contact the K-12 Cybersecurity Program team at k12cybersecteam@dpi.nc.gov.

Key Resources

• 2024 PSU Incident Response Toolkit (Guidelines, Policy, Plan, and Procedures)
• Tabletops
  • Principal and Leadership-focused Tabletop Template
    • This template is for a TTX that is targeted primarily at PSU Principal and other leadership. Please go through and replace any instance of [Insert PSU Here] with your PSU name (Example County Schools) or PSU acronym (ECS) where applicable.
• Presentations
  • PSU Incident Response – Digital Leaders Exchange: Human Capacity
  • Executive Security Tabletop – K12 SIX (Feb 2024)
  • NCLGISA Fall 2023 Symposium – Strengthening PSU Incident Response
  • Digital Leaders Exchange – Incident Response Workshop Slides (Sept 2023)
• Winston-Salem/Forsyth County Schools IR Template
• K12 SIX Essential Cyber Incident Response Runbook (V 1.1)
• Generic Computer Security Incident Response Plan (CSIRP) Template
• NIST SP 800-61 Rev. 2 – Computer Security Incident Handling Guide
  • NIST SP 800-61 Rev. 3
• CISA’s Tabletop Exercise Packages (CTEPs)
  • K-12 Schools CTEP Situation Manual
• Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
• Incident Response Consortium – Incident Response Playbook Gallery
• Microsoft Incident Response Playbook Guide