National Forum on
Education Statistics

Newsflash

Contact

GHEDAM BAIRU
Forum Director
National Forum on Education Statistics

Statistical Standards Program Staff

Forum Guide to Cybersecurity: Safeguarding Your Data

Appendix A: Cybersecurity Checklist

There are many operational tasks necessary to effectively plan for and respond to a cybersecurity incident. The following list of activities can assist state and local education agencies (SEAs and LEAs) as they create a new cybersecurity response plan or improve an existing one. Additional details about these planning and response activities can be found in chapters 2 through 4. The tasks are not listed in linear order or order of importance; rather, they are best practices that may occur concurrently or in sequential order. This list is not exhaustive or prescriptive, and agencies should modify the tasks and activities in this checklist to best meet their needs. Readers are encouraged to print this checklist and share it with their colleagues.

Actions to Perform Before a Cybersecurity Incident

• Develop a comprehensive inventory of all network-connected assets.
• Implement high-impact, low-cost solutions to secure networks, devices, accounts, and passwords.
• Provide regular training for all end-users of network-connected systems, including students.
• Secure agency networks, properly configure and segment agency networks, and establish a secure network perimeter.
• Conduct regular security, systems, and data assessments in a coordinated fashion with stakeholder participation.
• Consider hiring a third-party expert or Certified Ethical Hacker to assess agency security.
• Use assessment results to determine whether any systems need to be updated or replaced, and whether any data need to be migrated or destroyed.
• Enable automated tools and software to identify potential vulnerabilities and protect against threats.
• Establish a cybersecurity response plan that will be followed when an incident occurs.
• Align cybersecurity planning activities with related planning and preparation activities.
• Form a cybersecurity response team and include members from across the agency.
• Ensure agency leadership understands and supports the response plan.
• Coordinate with relevant agencies, community partners, vendors, and utility providers, when appropriate.
• Proactively review federal, state, and local policies and procedures.
• Adopt comprehensive security plans, protocols, and procedures.
• Regularly review which data should be collected and which should not.
• Set criteria for who may, and may not, have access to systems and data.
• Assign responsibility for monitoring system permissions, regularly monitor who has access, and revoke access when necessary.
• Examine data retention policies to ensure that data are properly retained and destroyed.
• Review current insurance policies and coverage for cybersecurity incident protection.
• Create coherent policies for identity management and passwords.
• Follow the principle of least privilege.
• Incorporate cybersecurity into procurement and purchasing processes.
• Consider the purchase of a retainer for expert forensics services.
• Review vendor contracts for cybersecurity requirements and responsibilities.

Actions to Perform During a Cybersecurity Incident

• Report the suspected cybersecurity incident to the specific department/staff responsible for confirming whether an incident has occurred.
• Confirm that an incident has occurred by examining the available evidence and information.
• Determine the scope and severity of the incident to identify the impact.
• Consult the response plan to determine how to proceed.
• Prioritize essential business functions to help focus response efforts.
• Consider using alternate or temporary communication methods if regular communication channels are impacted.
• Contact the agency’s cybersecurity insurance provider to ensure that response activities are per policy requirements.
• Consult legal personnel to determine the agency’s responsibilities and requirements, including situations where personally identifiable information (PII) has been exposed.
• Communicate the response plan to staff at all levels of the agency.
• Communicate the incident to law enforcement if criminal activity is suspected.
• Communicate facts about the incident to external stakeholders, including parents.
• Inventory all systems, determine which systems have been affected, and assess whether any data or information have been compromised.
• Prepare an alternate data collection process for any collections that must continue while systems are offline/inaccessible.
• Retrieve any lost data from an alternative source.

Actions to Perform After a Cybersecurity Incident

• Consult legal counsel’s advice on how to proceed with an investigation.
• Coordinate with law enforcement if criminal activity is suspected.
• Consider all available options for replacing, upgrading, restoring, and retiring any assets (such as systems, hardware, devices, or software) affected by the incident.
• Assess the purpose and function of the affected asset, the potential costs and benefits of restoration or replacement, and the security needs of the agency moving forward.
• Build stronger cybersecurity protections into any systems that are restored or replaced.
• Use a temporary application, system, or another alternative if necessary.
• Archive or destroy any temporary systems once they are no longer needed.
• Consider retaining staff support when recovering from a major incident.
• Identify funding sources to pay for recovery activities.
• Prioritize restoring an agency’s business operations and mission-critical functions.
• Retrieve any lost data and records from an alternative source.
• Key in any data that were collected using temporary paper records.
• Audit any data that were submitted during the incident.
• Evaluate the adequacy and effectiveness of the cybersecurity response plan.
• Solicit feedback from staff to determine the effectiveness of the plan.
• Use the evaluation results as a catalyst for improved cybersecurity measures.
• Review and revise business continuity plans, agency processes, and any affected systems based on the evaluation results.
• Update professional development and training to incorporate preventative measures, response plan updates, and lessons learned.