Information and Infrastructure Assurance at Indiana University

• UIPO
• >> Incident Response

The University Information Policy and Information Security Offices (UIPO/UISO) assists in responding to and investigating incidents related to misuse or abuse of Indiana University information and information technology resources. This includes computer and network security breaches and unauthorized disclosure or modification of institutional or personal information.

In the event of a security incident concerning sensitive institutional or personal data, the unit must take immediate action to report the incident to UIPO as soon as the incident is suspected.

As soon as the incident is suspected

1. IMMEDIATELY CALL, no matter what time of day or night or weekday or weekend or holiday, until you get to a human. Try in this order:
   1. UITS Support Center at 812-855-6789 (24x7)
   2. UITS Network Operations Center at 812-855-3699 (24x7)
   If you reach the Support Center or the Network Operations Center, ask them to PAGE the Security Office. A representative from UISO will then call you back. Please ALSO e-mail it-incident@iu.edu with details of the suspected exposure. Please DO NOT simply leave voicemail or send e-mail - please ensure you reach a human, because it is CRITICAL that we begin response procedures immediately.
2. STEP AWAY from the computer; DO NOT touch it, and DO NOT take any other action until advised by the Information Policy and Security Offices.
3. DO NOT touch, attempt to login, or alter the compromised system. DO NOT power it off. These actions will delete forensic evidence that may be critical to your incident.
4. DO NOT talk about the incident with any other parties until you are authorized as part of the process outlined in this document.

The University Information Security & Policy Offices are charged with investigation and coordination of incidents where sensitive institutional or personal data is suspected to have been exposed, and it has experienced and licensed forensic engineers on staff to assist.

When the UIPO/UISO is notified, an Incident Team will immediately be assembled to advise and assist in containing and limiting the exposure, in investigating the attack, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies. The incident still "belongs" to the unit experiencing the exposure; the mission of UIPO & UISO is to assist you.

Time is critical

Immediately containing and limiting the exposure is first priority. In certain situations, we must notify the Indiana Attorney General within two business days of becoming aware of the incident. In others, we must notify the Merchant Bank involved within 24 hours. Also, individuals involved in such incidents expect expeditious notification to them so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications. At Indiana University, our goal is to notify the individuals affected within one week of our becoming aware of the exposure.