Create Next App

EMERGENCY RESPONSE — DO NOT DISCARD

Cyber Incident Break-Glass Playbook

[Name]

District

[#]

# of students

[#]

# of campuses

[City, state]

City, state

Document Version

v1.0 · default template

Last Printed

Never

1 First 15 Minutes

If you are reading this, an incident is suspected or in progress. Work the steps in order — do not skip ahead.

Stop. Do not power down or reboot any affected machine.

Disconnecting from the network is fine and recommended. A clean shutdown can destroy forensic evidence and may complete an attacker's encryption process. Pull the network cable, do not press the power button.

Call the District Cybersecurity Coordinator on a phone not connected to the district network.

[Coordinator name] · [Personal cell]. Use cellular service or a personal device. Email and Teams may be compromised.

Coordinator notifies the Superintendent and activates the response team.

See Section 2 for the full call list. Notify in this order: Superintendent → Asst. Super (Operations) → Communications Lead → Legal Counsel.

Call the cyber insurance 24/7 hotline before contacting outside investigators or vendors.

[Carrier] · [24/7 hotline] · Policy [Policy number]. Carrier-approved forensic firms must lead the investigation or your claim may be denied.

Begin the formal incident log. Write everything down with timestamps.

Use a paper notebook (not a district laptop). Note who did what, when. This becomes your forensic record, your insurance claim evidence, and your AAR source. More information is always better than less.

Within 48 hours, file the Texas DIR security incident report.

DIR Security Hotline · 1-877-347-2476 (24/7). Report via SPECTRIM portal. Required by Texas Government Code §2054.603. Do not delegate this — it is the Coordinator's responsibility.

⛔ Do Not — under any circumstances

Do not pay a ransom demand. It is prohibited under Texas SB 1893 for K-12 districts and may violate federal law.
Do not talk to media or post on social media until Communications Lead has issued a holding statement (Section 4).
Do not negotiate or communicate with the threat actor without legal counsel and FBI involvement.
Do not restore from backup until the forensic firm clears your environment of persistence — you will reinfect.
Do not log incidents in the district email or chat — assume both are compromised. Use phone, personal email, or paper.

2 Critical Contacts — Phone Tree

Notify in tier order. Tier 1 and Tier 2 are district-specific — edit before relying on this playbook in production. Tier 3 authority contacts are pre-filled and the same for every Texas K-12 district.

Tier 1 · Notify Immediately

Cybersecurity Coordinator

[NOT YET CAPTURED]

[Personal cell]

[Email (for TEA template)]

[24/7 availability note]

Superintendent

[NOT YET CAPTURED]

[Personal cell]

[24/7 availability note]

Asst. Super, Operations

[NOT YET CAPTURED]

[Personal cell]

[Role / availability]

Communications Lead

[NOT YET CAPTURED]

[Personal cell]

[Role / availability]

Tier 2 · Insurance, Vendors, Counsel

Cyber Insurance — 24/7 Hotline

[Carrier name]

[24/7 hotline]

[Policy number]

Managed Services Provider

[MSP name]

[24/7 NOC phone]

[Contract number]

Backup Vendor — Support

[Vendor name]

[Support phone]

[Severity tier]

Cyber-aware Legal Counsel

[Firm + attorney name]

[Phone]

[Retainer status]

SIS Vendor — Support

[SIS vendor name]

[Support phone]

[Customer ID]

Internet Provider — Emergency

[ISP name]

[Emergency phone]

[Account number]

Tier 3 · State & Federal Authorities

Texas DIR — Security Hotline

DIR Network Security Operations

1-877-347-2476

24/7 · 877-DIR-CISO · file via SPECTRIM

FBI — Houston Field Office

FBI Cyber Task Force

(713) 693-5000

also: ic3.gov for online filing

Texas Education Agency

TEA Cyber Notification

cyber@tea.texas.gov

required per Tex. Educ. Code §11.175

CISA — Region 6

CISA Central

1-888-282-0870

central@cisa.gov

3 System Recovery Sequence

Restore in this order. Edit tier per row to reorder priority — table auto-sorts T1 → T2 → T3. Do not begin recovery until forensic firm clears the environment.

Tier	System	Restoration Approach	Target RTO
T1	VoIP Phone System [Vendor + deployment]	[Restoration approach]	[N h]
T1	Building Access Control [Vendor + deployment]	[Restoration approach]	[N h]
T1	Student Information System [Vendor + deployment]	[Restoration approach]	[N h]
T2	Email & Productivity [Vendor + deployment]	[Restoration approach]	[N h]
T2	Financial / HR System [Vendor + deployment]	[Restoration approach]	[N h]
T2	File Shares [Vendor + deployment]	[Restoration approach]	[N h]
T3	Learning Management [Vendor + deployment]	[Restoration approach]	[N h]
T3	Library Catalog [Vendor + deployment]	[Restoration approach]	[N h]

4 Communications Templates

Templates pre-populated for every district. Communications Lead and Legal Counsel approve before sending. Fill the [blue blanks] at incident time. District-specific fields edit once and substitute everywhere.

Parents & Community

Channel: [Parent communication channel]

[District name] is currently responding to a cybersecurity event affecting some of our technology systems. Student safety is not at risk, and instructional operations [continue / are temporarily adjusted] while we work with our partners to restore systems.

We are working with cybersecurity experts and have notified appropriate state and federal authorities. We will share updates as more information becomes available. Please direct questions to [Communications Lead phone].

Internal Staff

Channel: phone tree + paper memo (do not use district email)

[District name] is responding to a suspected cybersecurity incident. Effective immediately:

• Do not log into district systems unless instructed.
• Do not click links or open attachments in any email received today.
• Direct all media or parent questions to Communications Lead — do not respond personally.
• Continue instruction using offline materials. Updates will come via [backup channel — phone tree, paper, etc.].

Board of Trustees

Channel: phone call from Superintendent (no email)

Calling to inform you we are responding to a cybersecurity event. Per our IRP, the cyber insurance carrier and forensic firm have been engaged. State authorities have been notified per statutory requirement.

A formal briefing is scheduled for [date / time]. In the interim, please direct any media inquiries you receive to Communications Lead at [phone]. Do not discuss the incident publicly until counsel clears messaging.

TEA Notification (required)

Channel: cyber@tea.texas.gov

Per Texas Education Code §11.175, [District name] is reporting a cybersecurity event. Discovery date: [date]. Affected systems: [high-level list, no details]. Status: [active / contained / under investigation].

District cybersecurity coordinator: [Coordinator name], [phone], [email]. We will provide an updated report as the investigation progresses.

5 Reporting & Notification Checklist

Required deadlines for Texas K-12 districts. Track and document each step in the incident log.

48h

from discovery

Notify Texas DIR via SPECTRIM portal

1-877-347-2476 · dir.texas.gov · per Tex. Gov't Code §2054.603

Required

ASAP

after discovery

Notify Texas Education Agency cybersecurity team

cyber@tea.texas.gov · per Tex. Educ. Code §11.175(b)

Required

60d

from discovery

Notify affected individuals (if SPI exposed)

Required when 250+ individuals affected · also notify Texas AG · per Bus. & Comm. Code §521.053

Required

10d

from closure

Submit DIR closure report

via SPECTRIM portal · per Tex. Gov't Code §2054.603(c)

Required

ASAP

after discovery

File FBI IC3 report

ic3.gov · or Houston Field Office (713) 693-5000 · valuable for insurance claim

Recommended

ASAP

after discovery

CISA voluntary report

central@cisa.gov · 1-888-282-0870 · supports broader threat intelligence

Recommended

30d

from closure

Conduct After-Action Review and produce Improvement Plan

Per TxSSC CS31, CS32 · update this playbook with lessons learned

Recommended