Search
IUPUI School of Engineering and Technology

IUPUI School of Engineering and Technology

Incident Response Policy for Information and Information Systems

School of Engineering and Technology (10/21/2014) 

Purpose

The purpose of this policy is to outline the responsibilities of School of Engineering and Technology (E&T) employees and faculty with regards to reacting and reporting various types of network and information security incidents that may occur.

Scope

This policy applies to all employees and faculty of E&T; as well as vendors, contractors, partners, students, collaborators and any others doing business or research with the E&T will be subject to the provisions of this policy. Any other parties, who use, work on, or provide services involving E&T computers, technology systems, and/or data will also be subject to the provisions of this policy. E&T computing resources have been developed to encourage widespread access and distribution of data and information for the purpose of accomplishing the educational and research missions of the school. This policy will not supersede any Indiana University developed policies but may introduce more stringent requirements than the university policy.

Policy

E&T individuals are required to immediately report to the Computer Network Center (CNC) and/or University Information Policy Office (UIPO) any:

  • suspected or actual incidents of loss, inappropriate disclosure, or inappropriate exposure of information used in the pursuit of the university's mission – whether in printed, verbal, or electronic form – including but not limited to those incidents involving the following information, systems, or processes: 
    • critical information such as individually identifiable health information, credit card numbers, Social Security numbers, driver’s license numbers, or bank account numbers.
    • lost or stolen mobile devices or media such as laptops, tablets, smart phones, USB drives, and flash drives.
    • viewing of information without a demonstrated need to know (e.g., snooping).
  • abnormal systematic unsuccessful attempts to compromise information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as: 
    • abnormal unsuccessful login attempts, probes, or scans.
    • repeated attempts by unauthorized individuals to enter secured areas.
  • suspected or actual weaknesses in the safeguards protecting information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as: 
    • weak authentication processes. o ability to access information you are not authorized to access. o weak physical safeguards such as locks and access controls. o lack of secure transport methods.

The CNC and UIPO operate during normal business hours. When identifying suspected or actual incidents after hours, contact the UITS Support Center (274-HELP) and ask them to page the University Information Security Office (UISO), which monitors pages 24x7. A response from UISO should be expected with 15-30 minutes. If other methods fail to reach the UIPO or UISO within 30 minutes, contact the Bloomington Data Center Operators at 812-855-9910 and ask them to page the UISO.

UIPO will coordinate the investigation, involve appropriate IU units including ET Computer Network Center, and help assess and mitigate potential threats.

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.