Incident Response Reporting
LIRP (Local Incident Response Plan) SOP (Standard Operating Procedure)
IT Incidents vary, be aware of all forms that an Incident can take, then take appropriate measures as each type of Incident requires. An incident that warrants action may include:
- slow and unresponsive systems
- new errors/messages
- programs constantly crashing
- unauthorized access
- break-in attempts
- inadequate protection controls
- inadvertent disclosure
When an Incident has occurred or has been noticed follow these action steps:
- Step away from the computer. Do not touch it, or attempt to login or alter it. Do not power it off. These actions will delete forensic evidence that may be critical to the incident.
- Do not reach out to system owners. IT Incident will do this and needs to manage what is communicated.
- Quickly gather the following information:
- The scope of the issue
- The type of compromise
- The name and IP of the machine
- The username of the user and system administrators of the machine
- Then notify the following groups with the information that you have gathered:
- IT Incident (812) 855-8476 day/ after hours (812) 855-6789 (sensitive data or threats) immediately. Non-emergency: UIPO Incident Reporting email@example.com
- Unit IT Lead: https://collit.college.indiana.edu/contact-us/
- Unit Chair/ Director and PI (General information only until IT Incident responds and approves what is to be shared)
- College Security Office: Adams, Scott C firstname.lastname@example.org
- COLL+IT executive leadership email@example.com (General information only until IT Incident responds and approves what is to be shared)
Reporting it in a timely manner is critical. Please check out: https://informationsecurity.iu.edu/report-incident/index.html for the latest contact and situational information’s.
The UIPO will work with us to coordinate response and forensic investigations, as necessary. They will use the UIPO sensitive data incident response checklist and toolkit. Details about the incident and response will be documented in their tracking system.