Cybersecure California

June 7, 2025

Sponsors:

Incident Response Planning Guide for K–12 Schools (California Edition)

Incident Response Plan for Schools document on a clipboard, surrounded by a laptop, glasses, and writing tools on a light wooden desk

A student clicks a bad link. A teacher reports weird login activity. Your SIS goes offline right before state testing.

Now what?

This page helps California K–12 districts create a clear, repeatable, and realistic cyber incident response plan — even if you don’t have a full-time CISO or on-call legal team.

🚨 What Counts as a Cyber Incident?

  • Phishing emails that lead to compromised accounts
  • Malware or ransomware attacks
  • Unauthorized access to student or staff data
  • System outages tied to suspicious activity
  • Lost/stolen devices with sensitive data

🧩 The 5-Part Response Framework

1. Detect & Alert

  • Encourage all staff to report strange emails, logins, or system behavior
  • Set up a central reporting inbox (e.g., security@district.org)
  • Use tools that alert on suspicious logins or file access

2. Contain

  • Disable affected accounts or isolate impacted devices
  • Change passwords and revoke access tokens if needed
  • Coordinate with your MSP or IT team to contain spread

3. Assess Impact

  • What systems are affected?
  • Was data accessed or exfiltrated?
  • Are students/staff directly impacted?

4. Notify & Escalate

  • Notify key internal contacts (IT lead, site admin, superintendent)
  • Determine if law enforcement or legal counsel is needed
  • If student data is compromised, prepare to notify families

5. Recover & Review

  • Restore systems from clean backups
  • Log and document every action taken
  • Update your incident response plan based on lessons learned

🧠 Who Needs to Know What (And When)?

District IT Staff:

  • Lead containment and technical recovery
  • Document timelines and technical details

School Leadership (Principals, Supers):

  • Coordinate communication and decision-making
  • Reassure staff, board, and community

Frontline Staff:

  • Report suspicious activity
  • Know who to contact and what not to do (don’t delete suspicious emails!)

Families (if needed):

  • Transparent updates if student data is involved
  • Offer steps for monitoring or password resets

🛠 Tools That Help

  • Incident response worksheet (coming soon)
  • Log sheet template for response actions
  • MSP support with forensic investigation
  • Crisis communication templates for internal/external messaging

✅ Minimum Plan Components

Your incident response plan should include:

  • Key contacts and roles
  • Steps for common scenarios (phishing, ransomware, device theft)
  • Communication flowchart
  • Recovery checklist
  • Location of backups and documentation logs

💡 Final Word

You don’t need to be perfect. You need to be prepared.

A simple, practiced plan beats a 50-page policy no one can follow.

Cybersecure California is here to help your district respond with clarity, confidence, and community trust — even under pressure.

Start with this guide. Make it yours. And rehearse before it’s real.