WiscNet is excited to introduce our "Guiding Questions" series, a thoughtfully curated set of queries to bolster your organization's cybersecurity preparedness. In today's digitally-driven world, it's crucial to stay ahead of potential cyber threats, and these guiding questions will serve as a compass to navigate the complex cybersecurity landscape.

Guiding Questions: Cybersecurity Preparedness and Planning

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• How does <your school district’s> incident response plan aid in mitigating the cyberattacks presented? 
• What level of funding and resources are devoted to cyber preparedness? 
• Based on <your school district’s> risk assessment, what is the range of potential losses from a cyber incident?
• Discuss cyber preparedness integration with your current all-hazards preparedness efforts. 
• Who are <your school district’s> cyber preparedness stakeholders (public, private, non-profit, other)?
• Who oversees cybersecurity management?  
• How are IT, security, and critical supporting personnel background checks conducted?
• What precautions does <INSERT ORGANIZATION HERE> take against cyber threats?
• How well-defined is cybersecurity concerning contracts with third-party support vendors and crucial suppliers?
• How often are contracts reviewed?
• How well do <INSERT ORGANIZATION HERE> service level agreements address incident response? 
• What protections does <INSERT ORGANIZATION HERE> have to defend against malicious intent by vendors or outside parties accessing your network? 
• What are <INSERT ORGANIZATION HERE> formal or informal procedures for IT account management?
• Do these procedures include protocols for establishing, activating, modifying, disabling, and removing accounts?
• What is <INSERT ORGANIZATION HERE> process for deactivating accounts and network access of former employees who recently terminated or voluntarily resigned?
• How does <INSERT ORGANIZATION HERE> baseline network activity? 
• How would <INSERT ORGANIZATION HERE> be able to distinguish between normal and abnormal traffic?
• What hardware and software does <INSERT ORGANIZATION HERE> use to detect/prevent the malicious activity of unknown origin on <INSERT ORGANIZATION HERE> systems/network?
• What is the procedure for deploying high-priority patches of user applications and software?
• What is the process for students and parents/guardians to report suspicious cyber incidents? 
• What current IT processes address these types of cyber incidents?
• How are employees trained to recognize and report cyber threats such as phishing scams?
• Does <your school or district> require additional training for those who fall for a fake phishing campaign? 
• What is <INSERT ORGANIZATION HERE>'s password management policy for local or internal networks?
• How regularly are users required to change their passwords? 
• What is <your school district’s> account lockout policy if users don’t change their passwords promptly?
• What are <your school district’s> requirements for password length and level of complexity?

Guiding Questions: Cybersecurity Information Sharing

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• What established mechanisms does <INSERT ORGANIZATION HERE> have to facilitate rapid information dissemination?
• What are <INSERT ORGANIZATION HERE> known communication gaps? Who in <INSERT ORGANIZATION HERE> is responsible for addressing those gaps?
• What other sources of cybersecurity threat intelligence does <INSERT ORGANIZATION HERE> receive (e.g., information from FBI, MS-ISAC, open-source reporting, security service providers)? 
• What cyber threat information is most valuable?
• Is the information you receive timely and actionable?
• Who is responsible for collating information across <INSERT ORGANIZATION HERE>?
• How is information shared among <INSERT ORGANIZATION HERE> internal and external stakeholders? 
• What formal and informal information-sharing mechanisms are in place?
• What mechanisms and products are used to share cyber threat information within <INSERT ORGANIZATION HERE> and external to <INSERT ORGANIZATION HERE> (e.g., distribution lists, information sharing portals)? 
• Describe how variables in threat information (timeframe, credibility, and specificity) impact decision-making.
• What flowcharts showing the high-level relationships and crisis lines of communication (i.e., who calls who) does <INSERT ORGANIZATION HERE> have for a cyber incident? 
• Are they part of <your school district’s> response or continuity planning documents?

Guiding Questions: Cybersecurity Incident Response Planning

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• When was <INSERT ORGANIZATION HERE>’s cybersecurity incident response plan issued, and when was the plan last revised?
• Does <INSERT ORGANIZATION HERE> incident response plan identify who to contact if you suspect you have experienced a cyber incident? 
• What is <INSERT ORGANIZATION HERE> method for tracking and identifying problematic pieces of firmware in <INSERT ORGANIZATION HERE> if a vulnerability is identified? 
• When do <INSERT ORGANIZATION HERE> IT and helpdesk staff conduct network maintenance (e.g., specific days or times of day)?
• What is <your school or district> IT department’s patch management plan? 
• Are risk assessments performed on all servers on the network?
• Are there processes to evaluate each server’s criticality and applicability to software patches?
• What resources and capabilities are available to analyze an intrusion or mitigate the incident?
• Internally?
• Through the private sector (third-party vendors)?
• Through government partners?
• Describe the decision-making process for protective actions in a cyber incident. 
• What options are available? 
• Have these options been documented in the plans? 
• How are they activated?
• What immediate protection and mitigation actions would be taken at <INSERT ORGANIZATION HERE> in this scenario? Who is responsible for those actions?
• What detection methods does <INSERT ORGANIZATION HERE> have to identify a compromise?
• What protective actions would <INSERT ORGANIZATION HERE> take across non-impacted systems in the scenario presented? 
• Who is responsible for protective action decision-making? 
• How are actions coordinated across parts of <INSERT ORGANIZATION HERE>?
• How would you rate this security incident severity for <INSERT ORGANIZATION HERE>? What additional notifications or actions would this prompt?
• Describe whether this scenario exceeds <your school district’s> ability to respond.
• If so, what are <your school district’s> established procedures to request additional support?
• Who does <INSERT ORGANIZATION HERE> receive cyber response technical assistance from?
• Does <INSERT ORGANIZATION HERE> have plans and procedures to access this assistance?  
• Has <INSERT ORGANIZATION HERE> identified and established the service provider relationships needed for incident/breach response issues (e.g., credit counseling, forensic/computer security services)? 
• What challenges are experienced by information technology and business continuity planning regarding information sharing? 
• Is information flowing in both directions?
• What processes are used to contact critical personnel anytime, especially outside business hours?
• How does <INSERT ORGANIZATION HERE> proceed if critical personnel are unreachable or unavailable?
• What alternative systems or manual processes are available to continue operations if a critical system is unavailable for a significant period?
• Who can authorize the use of alternate systems or procedures?
• When and how does <INSERT ORGANIZATION HERE> determine a cyber incident is closed?
• What are <INSERT ORGANIZATION HERE>’s defined cybersecurity incident escalation criteria, notifications, activations, and courses of action?
• Where does this incident fall within the incident severity schema for <INSERT ORGANIZATION HERE>?
• When would <INSERT ORGANIZATION HERE> leadership be notified? 
• When would <INSERT ORGANIZATION HERE> Board of Education (BOE) be informed of the cybersecurity incident?
• When would <INSERT ORGANIZATION HERE>’s cyber incident response team be activated?
• What are their priorities?
• Does <INSERT ORGANIZATION HERE> BOE have a role on the cyber incident response team?
• What incident de-escalation procedures are in place?
• Has <INSERT ORGANIZATION HERE> established a quantifiable, repeatable process for determining when an incident is resolved and when the incident response team can stand down?
• Describe <INSERT ORGANIZATION HERE>’s After Actions Report or lessons learned process.
• Who leads this process for a cyber incident?
• How are recommended improvements implemented and tested?
• What remediation is required of employees to ensure an event like this does not happen again (training, self-education, etc.)?

Guiding Questions: Ransomware

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• What resources are required for incident investigation and attribution?
• When have other schools or districts notified <INSERT ORGANIZATION HERE> after detecting a ransomware attack?
• If they have not notified <INSERT ORGANIZATION HERE>, should they?
• When would <INSERT ORGANIZATION HERE> notify other schools or other districts in your area after a ransomware attack is detected?
• If you were one of the individuals who received the ransom demand, who would you inform internally? Who would you tell externally?
• How is ransomware addressed in <INSERT ORGANIZATION HERE> incident response plan?
• How frequently does <INSERT ORGANIZATION HERE> exercise your response to ransomware?
• What formal policies and procedures does <INSERT ORGANIZATION HERE> have to document the process for restoring backed-up data?
• Do these policies and procedures include measures for ensuring the integrity of backed-up data before restoration?
• Where does <INSERT ORGANIZATION HERE> store backups of vital records?
• Are your backups stored in a location separate from your primary working copies of your files?  
• How long does <INSERT ORGANIZATION HERE> keep copies of archived files backed up? 
• How long would downtime exist between losing your primary files and restoring files via your backup?
• How would <INSERT ORGANIZATION HERE> respond to the loss of student transcripts and test scores?
• Who would be involved in the response?
• Who would be notified at the local level? State level? Federal level?
• What processes and resources are used for evidence preservation and forensics?
• When would <INSERT ORGANIZATION HERE> engage law enforcement, if at all?
• Who would <INSERT ORGANIZATION HERE> be contacting from local, state, and federal entities?
• What steps would be taken to regain access to locked accounts? 
• Do employees know who to contact in this situation?
• What is <INSERT ORGANIZATION HERE>’s responsibility to provide credit monitoring or other identity theft protection services for individuals affected by the stolen data?
• In addition to the concerns of data exfiltration, how would <INSERT ORGANIZATION HERE> address incorrect data in student records?

Guiding Questions: Phishing

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• How do employees report suspected phishing attempts?
  • When suspicious emails are reported, what actions does <INSERT ORGANIZATION HERE> take?
  • Are there formal policies or plans that would be followed?
  • Does <INSERT ORGANIZATION HERE> conduct phishing self-assessments?
• How are students notified of possible phishing campaigns targeting their accounts?
  • How would parents/guardians be involved in this conversation?
• Does <INSERT ORGANIZATION HERE> provide essential cybersecurity and IT security awareness training to all users (including managers, senior executives, and vendors)?
  • What topics does the training cover, and how often is it provided?

Guiding Questions: Data Exfiltration

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

• How would <INSERT ORGANIZATION HERE> be notified if data exfiltration occurred in a neighboring school or district?
• What actions would be taken when the exfiltration is discovered? Does <INSERT ORGANIZATION HERE> have written plans that would be implemented?
• How will potentially selling students’ sensitive or Personally Identifiable Information (PII) impact <INSERT ORGANIZATION HERE> response and recovery activities?
  • Will IT alert authorities?
  • How have <INSERT ORGANIZATION HERE> public relations priorities changed?
  • Will it trigger any additional legal or regulatory notifications?
    

Guiding Questions: Distributed Denial of Service (DDoS) Attacks

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

1. How does <INSERT ORGANIZATION HERE> detect and mitigate the effects of DDoS attacks?
1. Does <INSERT ORGANIZATION HERE> contract with a vendor for DDoS protection?
2. Who can activate the DDoS protections? (Standard services should always be on; however, some advanced features are triggered based on attack type and severity.)
3. What processes and procedures does <INSERT ORGANIZATION HERE> have to notify the vendor that <INSERT ORGANIZATION HERE> is under a DDoS attack?  
4. How are these processes and procedures documented in <INSERT ORGANIZATION HERE>’s incident response plan? 
2. How has <INSERT ORGANIZATION HERE> tested or exercised the DDoS detection and mitigation capabilities?
3. What active measure(s) does <INSERT ORGANIZATION HERE> employ to prevent denial of service (DDoS) attacks against your websites and operational systems?
4. What pre-written messages does <INSERT ORGANIZATION HERE> have to inform faculty, staff, students, and parents/guardians of a DDoS attack?
1. Does this messaging include actions they should/should not take?

Guiding Questions: Communicating During a Cybersecurity Incident

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

1. What steps would be taken to address the public following these cyber incidents?
1. Is there a forum for parents to ask questions? 
2. How would students be notified about the cyberattacks?
2. Who is responsible for the dissemination of public information related to the incident? What training or preparation have they received?
3. Does the public relations team have a dedicated list of individuals to contact in the event of an incident? Who is on that list? Are those offices/individuals listed in any order of priority? 
4. How is <INSERT ORGANIZATION HERE> ensuring unity of message between <INSERT ORGANIZATION HERE>, the public partners, and elected officials?
5. What online resources and communication formats does <INSERT ORGANIZATION HERE> use to inform parents, students, and the public about incidents?
6. How would <INSERT ORGANIZATION HERE> public information office work jointly with other public relations offices/ departments in the local, state, and federal government to ensure a consistent message is delivered to the public?

Guiding Questions: Legal

The following section includes supplemental discussion questions to guide exercise play. Questions align with the NIST functional areas, specific attack vectors, and roles. Exercise planners are encouraged to select additional, applicable discussion questions to the chosen scenario to bolster participant conversation.

1. What are the legal issues <INSERT ORGANIZATION HERE> must address?
2. What legal documents should <INSERT ORGANIZATION HERE> have (for example, with third-party vendors)?
1. Discuss the role of cybersecurity in contracts with third-party support vendors and crucial suppliers. Has <INSERT ORGANIZATION HERE> discussed cybersecurity concerns and risks with them?
3. What is the role of the legal department in this scenario?
4. What are <INSERT ORGANIZATION HERE> security breach notification laws? What do they include?

Further In Depth: Navigating the Legal Maze: A Wisconsin Organization's Guide to Cybersecurity Incident Response

When your organization faces a cybersecurity event, it's crucial to tackle the legal aspects head-on to minimize potential fallout. Here are the critical legal issues you should address immediately:

1. Notification Laws Compliance: Check if the incident falls under any data breach notification laws. Many states, including Wisconsin, have specific laws about when and how to notify affected parties of a data breach. It's essential to comply with these requirements to avoid legal penalties.
2. Contractual Obligations: Review contracts with third parties, like customers or vendors, with clauses related to data breaches or cybersecurity incidents. You may have obligations to notify these parties or take specific actions following a breach.
3. Regulatory Reporting: Depending on your organization's sector (healthcare or finance), industry-specific regulatory bodies might require reporting cybersecurity incidents. For example, healthcare organizations must consider HIPAA requirements.
4. Preservation of Evidence: Safeguard all evidence related to the breach. This includes logs, affected systems, and emails. Legal proceedings or investigations might require these as evidence.
5. Legal Counsel: Engaging with legal counsel early on is advisable. They can guide you through the complexities of the legal landscape, ensuring compliance and helping to mitigate risks.
6. Communication Strategy: Any public statements or communications about the breach should be carefully crafted, often with the input of legal counsel, to ensure they don't inadvertently admit liability or contradict legal obligations.
7. Insurance Notification: Notify your cybersecurity insurance provider, if you have one, per your policy's terms. They might have specific requirements or resources to assist in the response.
8. Employee Training and Policies: Review your policies and training procedures to ensure they are current and employees understand their roles in compliance and legal reporting.
9. Incident Response Plan Review: Post-incident, review and update your incident response plan to incorporate lessons learned and improve for future responses.

Follow-up Questions

• How can we improve our incident response plan to align with legal requirements?
• What training can we provide to our staff to better prepare them for the legal aspects of a cybersecurity incident?
• Can we collaborate with other Wisconsin-based organizations to develop a unified approach to legal compliance in cybersecurity incidents?

Further In Depth: Understanding Wisconsin's Data Breach Notification Laws: A Guide for WiscNet Member Organizations

Wisconsin has specific laws regarding notification of affected parties during a data breach. These laws are outlined in the Wisconsin Statutes, specifically in § 134.98, which deals with the news of persons affected by a breach of personal information. Here are the key points:

1. Definition of Personal Information: In Wisconsin, personal information is defined as an individual's first name or first initial and last name, in combination with any of the following: social security number, driver's license number or state identification number, financial account number, credit or debit card number, or any security code, access code, or password that would permit access to the individual's financial account.
2. Breach Notification Requirement: If there is unauthorized acquisition of personal information, the entity holding that information must notify the individuals affected. This notification should occur without unreasonable delay, considering the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the data system's integrity.
3. Timing of Notification: Notification to affected individuals must be made within a reasonable time, at most 45 days after the entity becomes aware of the breach, unless a shorter time is required by federal law.
4. Content of Notification: The notification should include, to the extent possible, the type of personal information that was compromised, the time of the breach, the contact information for the organization, and a description of what the entity is doing to address the violation.
5. Notification to Consumer Reporting Agencies: If the entity needs to notify more than 1,000 persons at one time, it must also notify all consumer reporting agencies that compile and maintain consumer files nationwide.
6. Exemption for Encrypted Information: If the data breached was encrypted, notification is not required unless the encryption key was also acquired in the breach.
7. Penalties for Non-Compliance: Entities that fail to comply with these requirements may face legal consequences, including but not limited to civil penalties.

Follow-up Questions

• How can organizations ensure they are prepared to meet the 45-day notification requirement during a data breach?
• What steps can be taken to communicate effectively and securely with affected individuals after a breach?
• How can organizations in Wisconsin stay updated on changes to these laws and best practices in data breach response?