National Forum on
Education Statistics

Newsflash

Contact

GHEDAM BAIRU
Forum Director
National Forum on Education Statistics

Statistical Standards Program Staff

Forum Guide to Cybersecurity: Safeguarding Your Data

Chapter 4: After a Cybersecurity Incident—Recovery and Restoration

This chapter describes response activities to restore affected systems and data after a cybersecurity incident has occurred. In this resource, “after” a cybersecurity incident is defined as the time after the incident no longer poses an active threat. This period ends when all affected systems have been restored or replaced and the agency has resumed normal functionality. While the distinction between “during” and “after” a cybersecurity incident is relatively straightforward, the moment when such an incident had ended is not always clear. The endpoint may be more distinct in smaller incidents, but harder to identify in widespread incidents. In some cases, an infrequently used device or system that is infected may go undetected for some time, such as a system that is only used once per year for annual data reporting. The recommendations below are not listed in linear order or order of importance; rather, they are recommended best practices that may occur concurrently or in sequential order. The information is general in nature and not exhaustive. Agencies should adapt the information provided to meet their specific needs and requirements.

Investigate the Incident

An investigation will help determine the root cause of the incident, which enables an agency to implement strategies that will minimize the chance of future recurrence. Consult agency legal personnel for advice on how to proceed with an investigation. One important decision to be made when preparing for an investigation is whether to conduct an in-house investigation or solicit an external investigator or auditor. Important investigative matters include interviewing key personnel and locating, collecting, and preserving potential evidence.

For certain incidents, particularly those that may be criminal, evidence must be collected, analyzed, and preserved in a manner that ensures that the evidence is admissible in court. A computer forensics expert can help agencies with evidence collection and analysis. If criminal activity is suspected, be sure to coordinate with law enforcement on investigative matters. The U.S. Department of Justice, Computer Crime and Intellectual Property Section maintains a webpage with information and resources on reporting computer, internet-related, or intellectual property crime to federal investigative law enforcement agencies: https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime. If a financial crime is suspected, the U.S. Secret Service may be able to provide investigative assistance: https://www.secretservice.gov/investigation/#cyber.

Restore or Replace Affected Systems

System restoration is a component of implementing an agency’s business continuity plan. Ideally, any affected systems will be quickly restored following a cybersecurity incident—good backups can certainly help. However, timely restoration is not always possible. Any systems directly affected by the incident may be inaccessible temporarily or permanently. Agencies should consider all available options for replacing, upgrading, restoring, and retiring any systems, hardware, devices, and software that were affected by the incident. At this stage, it can be helpful to consider the purpose and function of the system, the potential costs and benefits of restoration or replacement, and the security needs of the agency moving forward. Systems that are rebuilt or replaced can have stronger protections built in to better protect against cybersecurity threats and vulnerabilities.

If a critical system is offline or inaccessible for an extended period, local systems and routine processes may be strained. In this situation, a temporary application, system, or other alternative means of sharing information and data may be necessary. To be most effective, temporary systems should be developed and implemented quickly while ensuring that data are secure and confidentiality pledges are upheld. After a cybersecurity incident has been mitigated and any affected systems have been restored or replaced, agencies should formulate a plan to archive or destroy any temporary systems.

Major incidents that affect multiple systems for an extended period often incur significant expenses because of the costs of hardware, software, and labor. In certain cases, information technology (IT) staff will need support when recovering from a major incident. If additional staff are needed to aid in the recovery, agencies could consider temporarily reassigning staff, hiring new staff, or contracting with external groups (such as contractors, consultants, or vendors) to assist with recovery tasks such as inventory, data entry, and project management. Recovery activities could potentially be funded by cybersecurity insurance, reserve funds, infrastructure funding, or budget reallocations. Agency projects and priorities may also need to be adjusted following an incident.

Restore Affected Data

In the immediate aftermath of an incident, business operations and mission-critical functions (for example, heating, ventilation, and air conditioning (HVAC), payroll, and attendance) must be prioritized for business continuity. Given that certain data, such as student and personnel records, are necessary for a wide range of agency operations, it is also important to restore an agency’s data and data-related functions following a cybersecurity incident. Any data and records that are lost temporarily or permanently as a result of a cybersecurity incident will need to be retrieved from an alternative source. An offsite backup, cloud storage, or data warehouse is often the first source; however, if backup data are not immediately accessible, an alternate source may have some, if not all, of the data. For example, a state education agency (SEA) data warehouse may be a source of some LEA data. Any temporary paper records that were used to collect data while systems were offline will need to be keyed in once the system is operational. Agencies may need to temporarily reassign staff or contract with a data entry service to assist with manual data entry. If any data were reported while systems were affected by the incident, those data should be audited for accuracy.

Evaluate the Response

When the cybersecurity response has concluded and routine agency operations have resumed, it is time to evaluate the adequacy and effectiveness of the cybersecurity response plan. All aspects of the response effort, including the response plan, staff actions, and agency systems, should be considered as part of the evaluation. The response team should also solicit feedback from all staff involved in or affected by the incident to determine the effectiveness of the plan. Reviewing the response plan in light of the agency’s actual response will identify successful action items, as well as opportunities to improve.

Potential evaluation questions to be asked might include the following:

• Were the cybersecurity response planning activities adequate for the incident?
• What additional planning activities might have been helpful?
• Did the cybersecurity response team perform all of its necessary functions?
• Did the response team have adequate authority and preparation to complete the specific roles, duties, and responsibilities assigned to it in the cybersecurity response plan?
• Should new cybersecurity measures be used to automatically identify and mitigate potential future threats? If so, which tools, software, and protections should be implemented?
• Did agency policies and procedures help or hinder the response?
• Did the investigation reveal any shortcomings in the agency’s cybersecurity practices?
• How effective was communication, both within and outside of the agency?
• What steps were taken to ensure data privacy during and following the incident?
• Was the confidentiality of all student data protected?
• Are there any long-term consequences of the cybersecurity incident that need to be addressed or explained, such as lost or incomplete data?
• What changes to the response plan should be implemented immediately, and what changes should occur after the next system replacement or upgrade?
• What other lessons can be learned from the incident and response?

The evaluation outcomes can be a catalyst for improved cybersecurity measures, such as increased training and more robust network security. Based on the evaluation results, the agency’s business continuity plans, agency processes, and any affected systems should be reviewed and revised to strengthen future response efforts. Professional development and training materials should also be reviewed for potential preventative measures; subsequently, these materials should be updated to reflect any modifications to the response plan and incorporate lessons learned from the incident.