Information Security and Privacy Incident Management
The University Information Policy Office (UIPO) and the University Information Security Office (UISO) are charged with the investigation and coordination of incidents where the loss, corruption, inappropriate disclosure, or inappropriate exposure of information assets is suspected. When the UIPO and/or UISO are notified, an Incident Team will be assembled to advise and assist in containing and limiting the exposure, in investigating the incident, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies. The nature of the incident and the type(s) of information involved will determine the exact makeup of the Incident Team, but it will include representatives from a number of university organizational units such as the unit experiencing the incident, Legal Counsel, Media Relations, the Committee of Data Stewards and/or the Compliance Officer for the information sector(s) implicated.
An incident response tool kit has been developed to guide the activities of this Incident Team. This kit contains the information needed by the unit experiencing the incident, in cooperation with the other individuals on the Incident Team, to handle the incident. The kit has been, and will continue to be, refined as incidents are handled to improve the process and make it as efficient and effective as possible. The same kit will be used for all incidents to ensure that a consistent approach is taken.
The UIPO and UISO will oversee the investigation of the incident and involve Legal Counsel, IUPD, local, state, and federal law enforcement as necessary. The gravity of the situation will determine the method by which evidence and other pertinent information are collected. When warranted and feasible, the evidence will be collected in a manner that ensures compliance with industry best practices.
The organizational unit experiencing the incident is fully responsible for allocating the resources needed to lead and achieve an appropriate and timely resolution of the incident. The unit experiencing the incident "owns" the response to the incident.
The UIPO and UISO will provide oversight and guidance to the process to ensure a coordinated, consistent, and efficient response, and to ensure compliance with applicable laws and regulations, including any required notifications to individuals or government officials.
Anyone identifying a weakness in the protection of sensitive institutional or personal data must immediately contact the UIPO and UISO. The UIPO and UISO will help coordinate the investigation and will involve the appropriate IU units to help assess and react to the potential threat. Likewise, the UIPO and UISO must be contacted in the event of a possible exposure or loss of sensitive institutional or personal data. The university's Incident Response Notification Procedures help ensure incidents are handled efficiently, effectively, consistently and responsibly.
Prior to receiving their university IT accounts, employees complete the Acceptable Use Agreement for Access to Information and Technology Resources, in which they agree to immediately report unauthorized access to, inadequate protection of, and the inappropriate use, disclosure, and/or disposal of information.
The UIPO has an automated system that allows the university to track and learn from previous incidents. In addition, post incident debriefing meetings are held with the Incident Team to determine how the response process and tools can be refined. This iterative process has proven quite effective at improving the university's incident response process.
Every day the UIPO Incident Response team sends dozens of email notifications to the university community. These alert people to computer and account compromises and malicious activities. In order to help you understand how we choose which email addresses we use, we’ll outline here part of that process:
If a username is compromised and we must scramble the passphrase:
- Students: we will notify the UITS Support Center, who will attempt to contact you via phone.
- Faculty or staff: we will look up your department code and notify the Local Support Providers (LSPs) listed with that department in the LSP database.
IT Managers are able to set a preferred address for the entire department in the LSP Database.
- If network activities indicate that a computer is compromised, the UIPO will notify the user. If an LSP is associated with the MAC Address of the computer in the DHCP Registration data, this LSP will also be notified, as well as additional LSPs listed with the user's department in the LSP database. Note that IT Managers are able to set a preferred address for the entire department in the LSP Database.
- If users are blocked from VPN, Dialup, or IU Secure access, they will always receive a notification and reason. If the user is faculty or staff and UITS has an LSP on record for their department, this LSP will be notified as well.
The UIPO encourages all units to develop and maintain a local incident response plan that complements the university-wide procedures. A template to serve as a base from which to develop your own procedures can be found below: