Ransomware Readiness Kit (Cities/Counties)

Executive Summary (1 page)

Responsible use: adapt to your environment; avoid entering sensitive incident data into tools/templates; validate with policy/counsel as appropriate.

Top readiness priorities (minimum viable)

• MFA everywhere (email, VPN/remote access, privileged accounts, cloud admin portals)
• Immutable/offline backups + restore tests (quarterly minimum)
• EDR coverage on endpoints + servers with alerting configured
• Central logging (VPN, firewall, DNS, EDR, cloud audit)
• External decision paths (cyber insurance notice, outside counsel, law enforcement, and reporting/notification ownership)
• Admin segmentation (separate admin accounts/workstations; limit lateral movement)

30/60/90 day roadmap (starter)

• 30 days: confirm MFA scope, backup immutability, EDR coverage, and basic log retention
• 60 days: tabletop exercise with leadership; close the highest-risk gaps; define patch SLAs; verify insurance and reporting paths
• 90 days: segmentation improvements; incident comms/templates approved; repeat tabletop

Key leadership decisions

• Who can authorize downtime / emergency change windows?
• What services must stay online (911, utilities, payroll)?
• Who owns communications (internal + public) during an incident?
• Who verifies cyber insurance status, outside counsel engagement, and legal/reporting obligations?

How to use (fast)

1. Complete the checklist and create a short remediation backlog.
2. Confirm minimum viable logging so DFIR is possible.
3. Run a 60–90 minute tabletop with leadership + IT + comms.
4. Pre-stage comms templates, vendor contacts, insurance contacts, and reporting/notification decision paths.

Links

• Repo playbook (source): playbooks/ransomware-readiness
• Full pack (Markdown): RANSOMWARE_READINESS_PACK.md
• Tabletop kit: playbooks/tabletops/ransomware/
• KEV governance (monthly): KEV-to-Risk Kit (hosted)

Hosted index: Public Sector Playbooks — Hosted Tools