Information Security and Privacy Incident Management
Investigation and Coordination
The University Information Policy Office (UIPO) and the University Information Security Office (UISO) are charged with the investigation and coordination of incidents where the loss, corruption, inappropriate disclosure, or inappropriate exposure of information assets is suspected. When the UIPO and/or UISO are notified, an Incident Team will be assembled to advise and assist in containing and limiting the exposure, in investigating the incident, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies. The nature of the incident and the type(s) of information involved will determine the exact make up of the Incident Team, but it will include representatives from a number of university organizational units such as the unit experiencing the incident, Legal Counsel, Media Relations, the Committee of Data Stewards and/or the Compliance Officer for the information sector(s) implicated.
An incident response tool kit has been developed to guide the activities of this Incident Team. This kit contains the information needed by the unit experiencing the incident, in cooperation with the other individuals on the Incident Team, to handle the incident. The kit has been, and will continue to be, refined as incidents are handled to improve the process and make it as efficient and effective as possible. The same kit will be used for all incidents to ensure that a consistent approach is taken.
The UIPO and UISO will oversee the investigation of the incident and involve Legal Counsel, IUPD, local, state, and federal law enforcement as necessary. The gravity of the situation will determine the method by which evidence and other pertinent information are collected. When warranted and feasible, the evidence will be collected in a manner that ensures compliance with industry best practices.
The organizational unit experiencing the incident is fully responsible for allocating the resources needed to lead and achieve an appropriate and timely resolution of the incident. The unit experiencing the incident "owns" the response to the incident.
The UIPO and UISO will provide oversight and guidance to the process to ensure a coordinated, consistent, and efficient response, and to ensure compliance with applicable laws and regulations, including any required notifications to individuals or government officials.
Tracking and Improvement
The UIPO has an automated system that allows the university to track and learn from previous incidents. In addition, post incident debriefing meetings are held with the Incident Team to determine how the response process and tools can be refined. This iterative process has proven quite effective at improving the university's incident response process.
Weaknesses and Events
Anyone identifying a weakness in the protection of sensitive institutional or personal data must immediately contact the UIPO and UISO. The UIPO and UISO will help coordinate the investigation and will involve the appropriate IU units to help assess and react to the potential threat. Likewise, the UIPO and UISO must be contacted in the event of a possible exposure or loss of sensitive institutional or personal data. The university's Incident Response Notification Procedures help ensure incidents are handled efficiently, effectively, consistently and responsibly.
Prior to receiving their university IT accounts, employees complete the Acceptable Use Agreement for Access to Information and Technology Resources, in which they agree to immediately report unauthorized access to, inadequate protection of, and the inappropriate use, disclosure, and/or disposal of information.