Incident Response

IT Incident Response Procedures

Potential Incident Notification

1. A person notices a potential incident with their computer. (Some types of potential incidents that may warrant investigation are: slow or non-responsive systems, new errors/messages, programs constantly crashing, suspected inadequate protection controls.)

2. Step away from the computer. Do not touch it or attempt to login or alter it. Do not power it off. These actions will delete forensic evidence that may be critical to your incident.

3. That person notifies their local IT support center who investigates the nature of the issue in a way which does not jeopardize potential forensic evidence.

4. IT support ascertains whether or not sensitive data is stored on the system via communication with the system user.

5. If a system or data compromise has been discovered by the support center personnel and the system contains data classified as ‘Critical’, immediate notification is sent to the University Information Policy Office (UIPO) by following the incident response outlined below.

Incident Response

1. A person becomes aware of a system breach, data breach, or unauthorized data disclosure. (Some types of incidents warranting immediate notification are: system compromise from virus infection or unauthorized access on systems containing Critical data, data exposure by unauthorized individuals, following links in phishing emails, or knowledge of inadequate protection controls.)

2. Step away from the computer. Do not touch it or attempt to login or alter it. Do not power it off. These actions will delete forensic evidence that may be critical to your incident.

3. That person notifies the UIPO by emailing it-incident@iu.edu. If the incident involves the breach of sensitive data, the following UIPO policy should be followed including the use of contact phone numbers for after-hours notification: http://protect.iu.edu/cybersecurity/incident/sensitive-data.

4. UIPO will work with the department’s staff to coordinate response and forensic investigation, as necessary. They will use the UIPO sensitive data incident response checklist and toolkit. Details about the incident and response will be documented in their tracking system.

5. The Incident team and UITS will review steps taken during the response to attempt to prevent future incidents.