We have a number of playbooks for addressing common cyber security scenarios.
This is the multi-page printable view of this section. Click here to print.
Playbooks
1 - Playbook: System outage response plan (draft)
This document is a ‘playbook’ that describes the processes around identification, considerations and communication of outages across the University.
It is requested that the draft be discussed with recommendations for improvement.
Related documents and policies
- Cyber Incident Response plan
Systems
The following systems are considered in the scope requiring communication to stakeholders as they provide aspects of the learning and teaching environment for staff and students. The first nine items would be considered core to the learning environments of the University. Of these, starred items (*) are under direct influence of the IT team for management of planned outages, those double-starred (**) by other staff of the University. While we are not be able to affect planned outages on other systems, we may want to communicate about these.
Core:
- ARK*
- Paradigm*
- Turnitin
- Zoom
- UMS*
- LibraryHub page**
- Library authentication (OCLC)
- Library catalogue/search service
- Library journal and ebook platform
- Research Repository*
- University website*
- Vox website*
- Staff website*
- Forms website*
- Risk Register*
- Support website*
- Cybersecurity website*
- StaffPlus
- Blue (Student Unit Evaluations)
- Slack
- Mailchimp
- University email
- University Sharepoint
- University phones
- University DNS*
Communication channels
The university has the following channels available for communication. Each option provides a different scope for the audience on the communication.
- ARK notice
- ARK announcement email
- generic email
- bulk email
- website banner
- social media (Twitter, Facebook)
- Slack
- University status page
Communication for ‘planned’ outages for in-scope systems
The Information Technology Manager (ITM) is made immediately aware of any planned outages for starred systems
If and where possible, ITM negotiates the timing of the planned outage to ensure the least amount of disrupted service. In preferred order of: non-teaching weeks, weekends, then early mornings
ITM writes up communication to be sent out to users of affected systems, including impacted systems and users, timing and duration
- User groups: Principals, Deans, Registrars, ARKLOs, Teaching Staff, Students, Honorary Staff, College Professional staff, OVC Staff
ITM determines how this information will be communicated and on which channels
The timing of this communication is to be either (a) 4 weeks prior to the planned outage; or (b) as soon as possible (if within 4 weeks) along with (c) a reminder at the start of the week of the planned outage
The ITM will co-ordinate the removal of any notices requiring such
For ‘unplanned’ (e.g. disruption in services) outages for in-scope systems
ITM is immediately made aware of any outages on the in-scope systems
ITM determines if the event constitutes a Cyber Incident.
- If it does constitute a cyber incident then the Cyber Incident Response Plan is enacted
If it is not a cyber incident, ITM determines required course of action going forward including user scope, systems impacted and communication to be distributed
ITM writes up communication to be sent out to users of affected systems
ITM determines how this information will be communicated and on which platforms
The timing of this communication can be staggered with all affected users notified within 20 minutes of notice of the outage
The ITM will co-ordinate the removal of any notices requiring such
Notice content
The ITM will work with the Communication and Events Manager to develop a set of standard notices for scheduled maintenance, tailored to each communication platform. This ensures consistent information is present in the communication.
2 - Playbook: Phishing activity observed
When to use
If you clicked on a link or entered your username and/or password into a potentially malicious site.Immediately notify (1) the IT Manager
Provide the following information:
- how did you received the link (email, sms, etc)
- what legitimate site was the site attempting to impersonate (ie made to look like Office365, Adobe, etc)
- Have you used the password for any other sites (UD or personal)?