Incident management

If an information security or privacy breach is suspected, the response must be coordinated, consistent, and efficient. An investigation must be performed to determine if a breach has occurred and if so, to what extent. Responsibilities must be clearly identified and understood. The goals of such an approach are to minimize the impact on the institution and the individuals affected, to notify the affected individuals promptly, to comply with applicable laws and regulations, and to determine what additional steps can be taken to minimize the chances of similar future events.

The authority of the University Information Policy Office to coordinate incidents has been established by a Resolution of the Trustees of Indiana University and confirmed by the Vice President for Information Technology and CIO of Indiana University. See IU policy ISPP-26: "Information and Information System Incident Reporting, Management, and Breach Notification".

Information Security Incident Management describes university-wide processes for investigation and coordination, responsibility, tracking and improvement, and weaknesses and events. 

Units can use the Departmental Procedures Template to document local procedures that lead up to the university-wide process.

Identifying and addressing potential deficiencies in the protection of institutional or personal information is critical in reducing the likelihood of an incident. Individuals must know how to react quickly when such a weakness is identified so appropriate steps can be taken to assess the risk and, if necessary, apply reasonable protection measures.

Anyone observing an information security or privacy violation is required to report the situation so that corrective action can be taken. 

For information security and privacy reporting university-wide, see: 

• • Reporting Security Incidents; and
  • IU policy ISPP-26: "Information and Information System Incident Reporting, Management, and Breach Notification"

For possible sensitive data exposures university-wide, see Reporting Suspected Sensitive Data Exposures.

Units can use the Departmental Procedures Template to document local procedures that lead up to the university-wide process.

The University Information Security Office (UISO) also reports suspected incidents, including computer and network security breaches and unauthorized disclosure or modification of electronic institutional or personal information, following the university-wide procedure.

The Indiana University Anonymous Reporting Hotline provides an anonymous, simple way to report activities that may involve financial or other misconduct, violations of university policy, etc., including unauthorized access to or disclosure of sensitive university data (i.e. personally identifiable data of students, faculty, staff, etc.).

Employees are reminded of their responsibility to report suspected information security or privacy violations when assenting to the Acceptable Use Agreement for Access to Technology and Information Resources.

The Whistleblower Policy strives to protect any Indiana University employee or other member of the Indiana University community who makes a good faith disclosure of suspected wrongful conduct.