Incident Response Center
Ransomware Response Capability
Priority scenario: Ellucian Banner ERP compromise. Two detection signals within 30 minutes activates the playbook.
Risk R-3
Current IR Status
Informal, untested procedures
Target deliverables: documented playbook (Month 3), tabletop exercise (Month 6)
Ransomware Response Workflow · Banner ERP
0-30 min
01Detect
IT Director / SOC
- · SIEM or endpoint alert for unusual file encryption
- · Banner ERP becomes inaccessible
- · Ransom note files on shared drives
15 min from confirmation
02Contain
IT Director
- · Isolate affected endpoints (disable switch ports / remove from AD)
- · Suspend Banner ERP and Dataverse access for non-IT accounts
- · Activate offline backup verification
1-4 hours
03Escalate
President / CISO
- · Presidential briefing within 1 hour of confirmed ransomware
- · Board notification within 4 hours
- · FERPA breach assessment if student records exfiltrated
Days 1-5
04Recover
IT Director
- · Restore systems from verified clean backup only
- · Full integrity scan before resuming Banner access
- · Out-of-band internal communications if systems compromised
5-10 business days
05Review
CISO
- · Post-incident review within 5 business days
- · Findings reported to cabinet within 10 business days
- · Board written summary within 72 hours of Critical incident
Regulatory Obligations
FERPA
Legal counsel assesses exposure if PII exfiltrated
NY SHIELD Act
Notify affected individuals without unreasonable delay
DHS / ICE (SEVIS)
Required notification for F-1 record compromise
Executive Communication Workflow
Internal
IT Director
Out-of-band channels if systems compromised
Executive
President / CISO
Presidential briefing within 1 hour of confirmation
Board
President
Board notification within 4 hours
External
President + Legal
Community communications with legal review