This template is provided as a base from which to develop your own procedures, and offers suggestions for how to begin. The UIPO encourages all units to develop and maintain a local incident response plan that complements the university-wide procedures.

1. Someone who notices an incident
   • Some types of incidents that may warrant action/investigation are: slow or non-responsive systems, new errors/messages, programs constantly crashing, unauthorized access, break-in attempts, inadequate protection controls, or inadvertent disclosure.
2. Step away from the computer. Do not touch it or attempt to login or alter it.  Do not power it off.  These actions will delete forensic evidence that may be critical to your incident.
3. That person notifies _______________________________ [appropriate party]
4. If _______________________________ [appropriate party] cannot be reached, notify _______________________________ [this person], or _______________________________ [this person].
5. _______________________________ [person/party] will collect information (without using the system) if it can be done quickly, such as: scope of the issue, type of compromise, names and IP addresses of machines, approximate date/time of compromise (if known), and usernames of users and system administrators of the machine.
6. _______________________________ [person/party] will then notify _______________________________ [management] and the University Information Policy Office (UIPO).
   • Contact procedures for the UIPO are detailed: protect.iu.edu/cybersecurity/incident/sensitive-data
7. The UIPO will work with the department’s IT staff to coordinate response and forensic investigation, as necessary.  They will use the UIPO sensitive data incident response checklist and toolkit. Details about the incident and response will be documented in their tracking system.
8. Specifically for production services like websites: plan remedial action to restore service, and when.  Consider bringing up a new machine to host the site - or posting a “down for maintenance” banner.
9. Incident team will review steps taken in response to attempt to prevent future incidents.

Download a printable version (below) of this template that you can complete and keep on file.

Download a copy

Download a printable version of this template to complete and retain in your files.