The Incident Response Webservice (IRW) is a locally developed security information and event management (SIEM) system that has been in use at IU since 2007. This tool allows the staff of the University Information Policy Office and the University Information Security Office to quickly and effectively respond to incidents on all IU campuses. As the use of this tool has grown, functionality has been implemented to aid both users and IT Staff when dealing with network blocks and other security incidents.
Incident Response Webservice
Passphrase scrambles
Securing compromised accounts by scrambling the account passphrase is one business process that is supported by the Incident Response Webservice.
As a means of protecting IU information and information technology resources, IU will scramble account passphrases to secure accounts that have been compromised. This process randomizes the passphrase for the account being scrambled so that no one, including the account owner, can access it. Whenever an account passphrase is scrambled, a digitally signed email notification from UISO Incident Reporting will be sent to the UITS Support Center and the registered IT Staff for the user. This notification will include details about why the account was scrambled and user contact information so that the passphrase reset process can begin.
For more information, see:
Services for end users
All blocked users will receive a digitally signed email from UISO Incident Reporting that contains information regarding the block and the actions that must be taken before network access is re-enabled. Users who have had their network access blocked can perform a self-service unblock to regain network access via the Incident Response Webservice. Users who unblock themselves without resolving the underlying issue will find themselves blocked again. Users who abuse their ability to perform self-service unblocks will lose this privilege and will need to email it-incident@iu.edu in order to regain network access.
For more information, see:
Users who are implicated in a DMCA file sharing offense will receive a digitally signed email from UISO Incident Reporting which contains information regarding the offense, block, and the actions that must be taken before network access is re-enabled. At a minimum, users who have had their network access blocked for a file sharing offense must complete the Copyright Tutorial and Quiz before network access is restored. Other requirements for unblocking are outlined in the copyright infringement incident resolution.
For more information, see:
An important aspect of information security is knowing when an account was accessed and by whom. To enable such monitoring, users can view their login history and/or sign up for Daily Account Usage Reports via the Incident Response Webservice. Enrolled users will receive a digitally signed email from UISO Incident Reporting every day at 7 a.m. EST. The report contains log information associated with your account from the previous day.
For more information, see:
In addition to allowing users to review their login information, IU offers a service to alert users when someone logs into their account from an IP address that is located outside of the United States. These alerts are sent in real-time via digital signed email from UISO Incident Reporting.
For more information, see:
Services for IT Staff
IT Staff can lookup user, IP address, and device block information in the Incident Response Webservice if they have been granted this ability by their IT Administrator in the IT People database. This information is provided to assist you in supporting your users when they are blocked from accessing the IU network.
For more information, see:
How do I help a user with a UIPO block? (authentication and authorization required)
IT Staff can unblock a user, IP address, and/or device if they have been granted this ability by their IT Administrator in the IT People database. IT Staff performing unblocks must ensure that the user or device that was blocked has been remediated according to the process outlined in the user block notification email. IT Staff who abuse their ability to unblock connections will have this privilege revoked.
IT Staff can control some aspects of email notices from the University Information Policy Office by visiting the Manage IT Staff Options portion of the Incident Response Webservice.
Configurable options:
- Notify users about blocks
- Notify users about vulnerabilities
- Preferred email
- Note: This email address is configurable in the IT Staff Database by the IT Administrator
- Note: IT Staff can be notified about devices owned by users affiliated with your department whose computers don't appear to be university-owned (machines don't follow the standard naming convention)
All registered IT Staff can view recently reported and processed phishing campaigns by visiting the Phishing Response portion of the Incident Response Webservice. If you identify a phishing message that has been received by you or your users and is not listed on this page, please immediately report the message with full headers to phishing@iu.edu. Please be sure to reference the from address, subject, and source IP address from the message and compare to those provided on this page to confirm that the campaign needs to be reported.
For more information, see:
If the University Information Policy Office or University Information Security Office have requested log data from services that you or your unit maintain, the logs portion of the Incident Response Webservice will provide you with the necessary information to send this data to us.