Virginia Fusion Center walks school leaders through incident‑response planning and a Jefferson County case study

The Virginia Fusion Center used CyberCon to walk K‑12 leaders through a practical incident‑response planning exercise and to highlight common failures that lengthen recovery.

Chris Cruz, the fusion center’s cyber program manager, and analyst Madeleine Espie led a workshop that reviewed the incident‑response lifecycle — preparation, detection and analysis, containment, eradication, recovery and post‑incident review — and asked attendees to complete a simple incident‑response matrix for each phase. Cruz said the fusion center now acts as the clearinghouse for state cyber incident reports and noted a state code change requiring public bodies to report cyber incidents to the fusion center within 24 hours.

Cruz used Jefferson County, Alabama’s 2023 ransomware event as a case study. He said the county lacked reliable offline backups, experienced communication breakdowns and delayed critical containment decisions; the outage lasted eight days and recovery took weeks. Cruz told participants they should document who will take specific actions during a response, who authorizes those actions and who bears responsibility if a mitigation step disrupts operations.

The workshop included a decision‑making simulation that presented injects — a growing stream of technical failures, media inquiries and parental calls — to push teams to decide whether to isolate systems, restore from backups or talk to law enforcement. Cruz’s closing homework for attendees: finalize a first draft of an incident‑response plan, review communication and notification lists, and test backups within 60 days.

"Finalize your first rough draft of an incident response plan," Cruz said during his closing remarks.