• Any reports, incidents, and/or threats of ransomware attacks against the school district since August 1, 2019. This also includes any documentation revealing the process for resolution against any ransomware attacks.
• A copy of the established school district's protocol for ransomware attacks.
• A copy of the cybersecurity policy for the school district.
• A copy of the 2023/24 and 2024/25 budget that includes cyber security costs.
If this information exists in whole or in part in electronic database form, we would like to receive the information in that format.
Responsive to this request, HCPSS Information Technology staff indicates no reports/incidents of ransomware attacks against the school system exist since August 1, 2019. Threats consistently occur which HCPSS is made aware of via state and federal partners, as well as contractual entities, for proactive measures:
• Multi-State Information Sharing and Analysis Center: https://www.cisecurity.org/ms-isac
• MD-ISAC: The Maryland Information Sharing and Analysis Center (MD-ISAC): https://doit.maryland.gov/cybersecurity/Pages/Threat-Bulletins.aspx
• Maryland Local Cybersecurity Collaborative (MLCC): https://doit.maryland.gov/cybersecurity/Pages/LGR-MLCC.aspx
• U.S. Department of Homeland Security / Cybersecurity & Infrastructure Security Agency (CISA): https://www.cisa.gov/topics/cyber-threats-and-advisories
• Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/topic/threat-intelligence/
• Maryland Association of Boards of Education: https://www.mabe.org/insurance-programs/mabe-programs/ (as HCPSS’ insurer, via their cyber team and analysts)
• MGT Consulting: https://www.mgtconsulting.com/capabilities/education/ (as the current HCPSS Managed Security Services Provider: https://go.boarddocs.com/mabe/hcpssmd/Board.nsf/files/BV8NBQ5EEA79/$file/11%2019%202020%20Bids%20%26%20Contracts%20BR.pdf – see PC-17)
Procedures for handling ransomware and other cyber attacks are addressed within the HCPSS Technology Department Disaster Recovery Plan record. Under both MPIA GP § 4-338, which requires a custodian to deny inspection of information about the security of an information system, and MPIA GP § 4-352, which indicates an agency may deny inspection of response procedures or plans prepared to prevent or respond to emergency situations, the disclosure of which would reveal vulnerability assessments, specific tactics, specific emergency procedures, or specific security procedures, we are denying access to this record. Such details could be used to initiate attacks against the school system if publicly released.