This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Playbooks

Playbooks describe processes to respond to common cyber-security events.

We have a number of playbooks for addressing common cyber security scenarios.

1 - Playbook: System outage response plan (draft)

This document is a ‘playbook’ that describes the processes around identification, considerations and communication of outages across the University.

It is requested that the draft be discussed with recommendations for improvement.

  • Cyber Incident Response plan

Systems

The following systems are considered in the scope requiring communication to stakeholders as they provide aspects of the learning and teaching environment for staff and students. The first nine items would be considered core to the learning environments of the University. Of these, starred items (*) are under direct influence of the IT team for management of planned outages, those double-starred (**) by other staff of the University. While we are not be able to affect planned outages on other systems, we may want to communicate about these.

Core:

  • ARK*
  • Paradigm*
  • Turnitin
  • Zoom
  • UMS*
  • LibraryHub page**
  • Library authentication (OCLC)
  • Library catalogue/search service
  • Library journal and ebook platform
  • Research Repository*
  • University website*
  • Vox website*
  • Staff website*
  • Forms website*
  • Risk Register*
  • Support website*
  • Cybersecurity website*
  • StaffPlus
  • Blue (Student Unit Evaluations)
  • Slack
  • Mailchimp
  • University email
  • University Sharepoint
  • University phones
  • University DNS*

Communication channels

The university has the following channels available for communication. Each option provides a different scope for the audience on the communication.

  • ARK notice
  • ARK announcement email
  • generic email
  • bulk email
  • website banner
  • social media (Twitter, Facebook)
  • Slack
  • University status page

Communication for ‘planned’ outages for in-scope systems

  1. The Information Technology Manager (ITM) is made immediately aware of any planned outages for starred systems

  2. If and where possible, ITM negotiates the timing of the planned outage to ensure the least amount of disrupted service. In preferred order of: non-teaching weeks, weekends, then early mornings

  3. ITM writes up communication to be sent out to users of affected systems, including impacted systems and users, timing and duration

    • User groups: Principals, Deans, Registrars, ARKLOs, Teaching Staff, Students, Honorary Staff, College Professional staff, OVC Staff
  4. ITM determines how this information will be communicated and on which channels

  5. The timing of this communication is to be either (a) 4 weeks prior to the planned outage; or (b) as soon as possible (if within 4 weeks) along with (c) a reminder at the start of the week of the planned outage

  6. The ITM will co-ordinate the removal of any notices requiring such

For ‘unplanned’ (e.g. disruption in services) outages for in-scope systems

  1. ITM is immediately made aware of any outages on the in-scope systems

  2. ITM determines if the event constitutes a Cyber Incident.

  3. If it is not a cyber incident, ITM determines required course of action going forward including user scope, systems impacted and communication to be distributed

  4. ITM writes up communication to be sent out to users of affected systems

  5. ITM determines how this information will be communicated and on which platforms

  6. The timing of this communication can be staggered with all affected users notified within 20 minutes of notice of the outage

  7. The ITM will co-ordinate the removal of any notices requiring such

Notice content

The ITM will work with the Communication and Events Manager to develop a set of standard notices for scheduled maintenance, tailored to each communication platform. This ensures consistent information is present in the communication.

2 - Playbook: Phishing activity observed

  1. Immediately notify (1) the IT Manager

  2. Provide the following information:

    • how did you received the link (email, sms, etc)
    • what legitimate site was the site attempting to impersonate (ie made to look like Office365, Adobe, etc)
    • Have you used the password for any other sites (UD or personal)?