(Drafted March 2026. Pending Governing Board Approval)
Incident Response Plan
1. Purpose
This plan outlines a high‑level approach for how Colearn Academy will prepare for, detect, respond to, and recover from cybersecurity incidents that could affect school systems, data, or operations.
2. Scope
This plan applies to incidents involving Colearn Academy information systems, data, or accounts, including incidents that occur in cloud‑hosted environments or involve third‑party services.
Operating context: Colearn Academy has no physical building and no school-owned hardware. Incidents typically involve cloud services, accounts, or family-/user-owned devices used for school access.
3. Roles and Responsibilities
3.1
The Information Security Lead coordinates incident response activities and may convene an incident response team that includes representatives from leadership, technology, operations, and other areas as needed.
3.2
Roles and responsibilities may include: triage and technical analysis, communications, coordination with vendors, coordination with authorizers or other agencies, and documentation.
4. Incident Lifecycle
4.1 Identification
Potential incidents may be identified through user reports, alerts from security tools, vendor notifications, or other sources. Suspected incidents should be reported promptly to the Information Security Lead or designated contact.
4.2 Triage and Containment
Upon notification, the School will assess the nature and scope of the suspected incident and determine initial containment steps (for example, disabling accounts, isolating affected devices, or limiting access), as appropriate.
4.3 Eradication and Recovery
As feasible, the School will work to remove malicious components, correct misconfigurations, or otherwise address the root cause, and then restore affected systems and data from clean backups or reliable sources.
4.4 Communication
The School will determine what internal and external communications are needed, which may include notifying leadership, affected users, vendors, authorizers, or government entities, consistent with applicable laws and contractual obligations.
4.5 Lessons Learned
After significant incidents, the School will review what occurred, what worked well, and what can be improved. Findings may inform updates to policies, configurations, training, or this plan.
5. Documentation
5.1
The School will maintain basic records of significant incidents, including dates, systems or data involved, actions taken, and key decisions.
6. Review
This plan will be reviewed at least annually and after significant incidents to ensure it remains relevant and effective.