Incident Response

Policy Statement

Data integrity, availability, and confidentiality are vital to the College's functioning and reputation. When dealing with a suspected or actual information or information technology incident, the College will follow all IU policies, including IU Policy ISPP-26 (Information and Information System Incident Reporting, Management, and Breach Notification). IT staff will report all incidents to the proper authorities and investigate, mitigate, and cooperate in any investigations or mitigation efforts in coordination with UISO/UIPO and University Counsel.

Much of this document’s language has been taken from the official IU incident response pages at https://informationsecurity.iu.edu That site should be consulted in all cases to ensure that current university policies and procedures are followed.

Exceptions to Requirement

None

Procedures

Urgent situations can occur which require the immediate attention of the University Information Security Office (UISO). 

First, to ensure that resources are brought to bear as quickly as possible, please IMMEDIATELY CALL, no matter what time of day or night or weekday or weekend or holiday, until you get to a human. DO NOT simply leave a message and wait for a return call.

Try in this order:

1. UISO Security Operations directly at 812-855-UISO (8476) (9-5 ET, M-F)
2. UITS Network Operations Center at 812-855-3699 (24x7)
3. UITS Support Center at 812-855-6789 (24x7)

When you reach the Support Center or Network Operations Center, ask staff to contact UITS Data Center Operations so that a PAGE can be sent to the UISO.  A representative will then call you back.

1. STEP AWAY from the computer
   
   
2. DO NOT touch it, or take any action until advised by the Information Policy & Security Offices.
   
   
3. DO NOT attempt to log in, or alter the compromised system. This includes AV scans, networks scan, patching mechanisms, and unplugging any cables.
   
   
4. DO NOT power it off. These actions will delete forensic evidence that may be critical to your incident. These actions may tip off the attacker to know that you are aware that the machine is compromised. They may take action to remove evidence or delete files.
   
   
5. Please ALSO REPORT the incident yourself, using one of the following methods:
   Use their online incident reporting form (authentication required).
   Send an email to it-incident@iu.edu outlining the incident details.
   
   
6. Contact  the following CITRIS and CISPO leadership:
   
   IT Leader for College IT Research, Infrastructure, and Support
   Nathan Byrer
   IU Phone: (317) 274-5609
   Email: nsbyrer@iu.edu
   
   IT Leader for College Information Security and Policy
   Scott C. Adams
   IU Phone: (812) 856-0151
   Email: scadams@iu.edu
   Cellular: (812) 606-2306
   
   
7. DO NOT discuss the incident with any other parties until you are authorized. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened.
   
   
8. Begin writing a detailed description to be shared with the Incident Team: what made you suspect the incident, what you know happened thus far, information on the machine and the data affected, and what actions have been taken so far.
   
   
9. For production services such as web sites or applications, plan remedial action to restore service and when. Consider bringing up a new machine to host the site or posting a "down for maintenance" banner. Take no action to restore/recover service until UIPO/UISO is consulted/approves.

If you find yourself involved in an incident involving IT systems, collecting the following information (do this without using the system – information can be gathered from the College IT Inventory Databases, Service Now Assets, SCCM, JAMF and other resources by members of the College Enterprise Technical Services Team (COLLETS)) will be helpful in the ensuing investigation:

• IP address(es)

• Hostname(s)

• Operating system and version

• Manufacturer, model, and serial number

• Usernames of users and system administrators of the machine

• Approx. date/time of compromise, if known

• List of software installed

• Attack vector (if you know/suspect a particular program/service)

The UIPO and UISO are charged with the investigation and coordination of incidents where the loss, corruption, inappropriate disclosure, or exposure of information assets is suspected. When the UIPO and/or UISO are notified, an Incident Team will be assembled to advise and assist in containing and limiting the exposure, in investigating the incident, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies

The College is fully responsible for allocating the resources needed to lead and achieve an appropriate and timely resolution of the incident. The College "owns" the response to the incident. The UIPO and UISO will provide oversight and guidance to the process to ensure a consistent, efficient and thorough response, and to ensure that all necessary approvals are received.

Other reportable incidents:

1. Suspected Phishing emails – Forward with full headers to phishing@iu.edu
2. Email abuse, misuse or spam may be forwarded with full headers to it-incident@iu.edu
3. Non-emergency security incident or privacy concerns should be reported to it-incident@iu.edu and may also be directed to the College Information Security & Policy Office (CISPO) - cispo@iu.edu
4. Stolen IT Devices
   1. Working with your supervisor, contact IUPD - (812) 855-4111
   2. Once you obtain a Case# and the responding IUPD officer's full name and contact info
      1. Contact it-incident@iu.edu with the details
         1. IUPD Case#
         2. Name of responding officer and contact information.
         3. Manufacturer, model, and serial number of the stolen equipment
         4. Hostnames and MAC Addresses of stolen equipment
         5. What IU data types were on the equipment
         6. User(s)and usernames associated with the device(s) - including administrators
         7. JAMF, SCCM and other central management details
5. Non-emergency security incident or privacy concerns or questions may also be directed to the College Information Security & Policy Office (CISPO) - cispo@iu.edu