9:150-AP1 Information Security Incident Response
Purpose
This procedure establishes a consistent, districtwide framework for identifying, reporting, escalating, and managing information security incidents involving District systems, devices, accounts, or data. This supports transparency, accountability, and compliance with applicable laws, regulations, and cybersecurity best practices while protecting the security and integrity of District information systems.
Scope
This procedure applies to all information security incidents that may affect:
- District-owned or managed information systems and networks
- District-issued or District-managed devices
- Student, staff, or operational data
- Third-party systems that process or store District data
This procedure applies to all employees, contractors, and other users of District technology resources.
I. Procedure Transparency and Security
This Administrative Procedure is intentionally written at a high level to support public transparency and regulatory compliance.
Detailed technical controls, system configurations, investigative methods, vendor relationships, and incident response playbooks are maintained in restricted District documentation and are not publicly disclosed to protect the security of District systems and data.
II. Definitions
Information Security Incident
Any suspected or confirmed event that results in, or may result in, unauthorized access, disclosure, modification, loss, or disruption of District information or information systems. This includes, but is not limited to, systems such as SIS, Finance, Email, etc.
Incident Response Team (IRT)
The District personnel designated to coordinate the response to information security incidents.
Emergency Operations Plan (EOP) Activation
The formal activation of the District’s Emergency Operations Plan when an incident requires coordinated districtwide leadership, communication, or continuity actions.
III. Roles and Responsibilities
All Employees and Users
- Remain vigilant for potential information security incidents
- Report suspected or confirmed incidents promptly in accordance with this procedure
Technology Department / Incident Response Team (IRT)
- Coordinate the identification, assessment, and management of information security incidents after notification to the Superintendent or designee
- Implement response actions consistent with District standards and applicable laws
Administration and Communications
- Coordinate internal and external communications when required
- Ensure compliance with notification obligations and District communication protocols
Superintendent and Cabinet
- Receives immediate notification of all reported information security incidents that may involve actual or potential loss of data, breaches of confidentiality, unauthorized access, or unauthorized changes to District information systems
- Provides executive oversight and determines whether additional escalation, including Emergency Operations Plan activation or legal consultation, is required
IV. Reporting Requirements
All events that could result in the actual or potential loss of data, breaches of confidentiality, unauthorized access, or unauthorized changes shall be reported immediately to the Superintendent or designee using District-approved reporting methods.
Methods:
- Enter a ticket in the Helpdesk
- Call the Helpdesk line at 630-937-8838
- Email the Director of Information Services
Immediate escalation is required for incidents that may involve:
- Student data or other regulated information
- Significant disruption to instructional or operational systems
- Suspected criminal activity or legal reporting obligations
Delays in reporting may increase risk to District systems and data.
V. Incident Response Governance
The District follows a standardized incident response lifecycle that includes:
- Identification and initial assessment
- Containment of potential impact
- Investigation and analysis
- Remediation and recovery
- Post-incident review and improvement
Detailed operational response procedures are maintained in restricted District incident response documentation.
VI. Escalation and Emergency Operations Plan (EOP) Integration
Information security incidents may be escalated and managed under the District’s Emergency Operations Plan when the incident:
- Impacts multiple schools, departments, or critical systems
- Involves the exposure of regulated or protected data
- Requires coordinated districtwide communication
- Affects the continuity of District operations
When activated, the EOP provides a structured framework for leadership, coordination, communication, and recovery.
VII. Notification and Compliance
The District will comply with all applicable legal, regulatory, and contractual notification requirements related to information security incidents.
When required by law or regulation, notifications may include affected individuals, parents/guardians, regulatory agencies, or other appropriate parties.
All notifications are coordinated through District administration and communications staff in accordance with District protocols.
VIII. Documentation and Records
The District maintains documentation for information security incidents as appropriate, which may include:
- Incident summaries and timelines
- Impact assessments
- Actions taken to mitigate and resolve the incident
- Lessons learned and improvement recommendations
The initial report and key details (date/time, reporter, system/data involved, initial assessment, actions taken) will be logged in the District’s incident tracking system and retained per records requirements
IX. Post-Incident Review and Continuous Improvement
Following significant information security incidents, the District conducts a post-incident review to:
- Evaluate the effectiveness of response actions
- Identify opportunities for improvement
- Update procedures, training, or safeguards as appropriate
The District conducts periodic training and tabletop exercises to support preparedness and continuous improvement.
X. Review and Maintenance
This Administrative Procedure is reviewed at least annually by the Technology Department and updated as necessary to reflect changes in law, risk environment, or best practices.
Date Approved: March 2, 2026