Purpose
The purpose of this policy is to outline the responsibilities of School of Engineering and Technology (E&T) employees and faculty with regards to reacting and reporting various types of network and information security incidents that may occur.
Policy
E&T individuals are required to immediately report to the Computer Network Center (CNC) and/or University Information Policy Office (UIPO) any:
- suspected or actual incidents of loss, inappropriate disclosure, or inappropriate exposure of information used in the pursuit of the university's mission – whether in printed, verbal, or electronic form – including but not limited to those incidents involving the following information, systems, or processes:
- critical information such as individually identifiable health information, credit card numbers, Social Security numbers, driver’s license numbers, or bank account numbers.
- lost or stolen mobile devices or media such as laptops, tablets, smart phones, USB drives, and flash drives.
- viewing of information without a demonstrated need to know (e.g., snooping).
- abnormal systematic unsuccessful attempts to compromise information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as:
- abnormal unsuccessful login attempts, probes, or scans.
- repeated attempts by unauthorized individuals to enter secured areas.
- suspected or actual weaknesses in the safeguards protecting information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as:
- weak authentication processes. o ability to access information you are not authorized to access. o weak physical safeguards such as locks and access controls. o lack of secure transport methods.
The CNC and UIPO operate during normal business hours. When identifying suspected or actual incidents after hours, contact the UITS Support Center (274-HELP) and ask them to page the University Information Security Office (UISO), which monitors pages 24x7. A response from UISO should be expected with 15-30 minutes. If other methods fail to reach the UIPO or UISO within 30 minutes, contact the Bloomington Data Center Operators at 812-855-9910 and ask them to page the UISO.
UIPO will coordinate the investigation, involve appropriate IU units including ET Computer Network Center, and help assess and mitigate potential threats.
Sanctions
Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.