Student Account Incident Procedures
Summary
Indiana Wesleyan University (IWU) is committed to safeguarding student accounts against fraudulent activity. Student Account Services (SAS), International Student Services and the IT department play a critical role in identifying, investigating, and mitigating security risks related to student account fraud. This knowledge base article outlines the procedures for handling various types of student account compromises, including financial fraud within Student Account Services, international student account fraud, and general student account compromises.
By following these procedures, IWU ensures swift and effective responses to suspicious activity, minimizing the risk of unauthorized access, financial loss, and data breaches. This guide provides step-by-step instructions for deactivating compromised accounts, verifying student identities, and coordinating between departments to protect student information and uphold the integrity of university systems.
Student Account Services (SAS) Procedure
The SAS team reviews student accounts for suspicious activity, and if an attempt at financial fraud is identified—including efforts to fraudulently obtain financial aid—the team will recommend disabling the account to prevent further misuse and protect university resources.
PROCEDURE
1. Identification of Fraudulent Accounts - SAS
- Identifies an account using fraudulent banking information.
2. Tracking and Notification - SAS
- Enters the affected student’s information into a tracking Smartsheet.
(https://app.smartsheet.com/sheets/HXv5xH9wcgpCQPmvHr9x5q5cfw3Pf67QGR88hWV1?view=grid)
- The Data Center Team is notified whenever a change is made to the Smartsheet.
3. Account Disabling and Documentation - Data Center Team
- A ticket is opened for the student. Utilize the incident ticket No Correspondence so as not to notify the fraudulent student account.
- A comment is added in iSupport under the student’s record: "Account tagged as using fraudulent information: Direct student to email iwuenroll@indwes.edu with any questions."
- Account is disabled in Active Directory (AD) / EntraID.
- Account is flagged in the column 'Account Access Removed'.
- This action will then create an automated notification for Information Security and the IT Support Center in the MS Teams Channel: SecOps and IT Support Center Hub.
4. Support Center Interaction - Support Center
If the student contacts the Support Center, staff will review the student’s record in iSupport during identity verification.
- A new ticket is opened for the student
- Support Center staff will communicate to the student that their account is frozen and provide instructions to contact SAS via email at iwuenroll@indwes.edu. Students must include their full name and student ID in their email.
- The ticket is closed with a resolution restating that they need to contact SAS via email at iwuenroll@indwes.edu and that they must include their full name and student ID in their email to iwuenroll@indwes.edu.
5. SAS Review and Follow-up - SAS
- SAS reviews the student's email (if they proceed to follow up) and determines whether the account can be re-enabled.
- If SAS concludes that the account was flagged in error and should be reinstated, they will proceed with the following in the Student Account Incident smartsheet:
1. Check the Account Reinstate check box.
2. Note in the comments the personal email contact for the student. This will trigger an email notification to Steve Newcomer and Michael Raver to begin Step 6.
6. Re-enabling the Account - Data Center Team
- Reopens original ticket from step 3
- Removes fraudulent activity comment from customer record
- Re-enables the account
- Updates Smartsheet entry for customer noting the account has been re-enabled (possibly using an ‘Account Renabled’ checkbox?)
- DC team contacts customer via alternative email from step 5 confirming their account has been reenabled, and to contact the Support Center if they have any issues with logging in. ***The contact from the DC team to the customer should be sent from the ticket, possibly utilizing a correspondence template.
- DC team closes the original ticket from step 3.
International Student Programs (ISP) Procedure
The Information Security team actively monitors ISP accounts for signs of misuse or compromise. If unauthorized activity is detected, the team will take immediate action to investigate, contain the threat, and, if necessary, remove any possible access to the account to prevent further security risks and potential fraud.
PROCEDURE
1. Identification of Account Mis-Use or Compromise - Information Security
- Identifies an account logging into IWU services in an impossible travel situation.
- Removal of all MFA authentication options from the account
- Reset password of the account
- Revoke all MFA and login sessions from the account. This should disconnect all connections to this account from logged in user[s]
- Complete the Student Account Incident Form. Ensure that all fields are filled out, checked and uploads of supporting proof of mis-use or compromise are uploaded in JPG or Word Doc format.
- Once completed the form will populate Student Account Incident smartsheet and send out an automated post to the MS Teams SecOps and IT Support Center channel. In addition an email will be sent to the ISP team members [anna.staggs and nathan.hawkins] for review.
- A comment needs to be added in iSupport under the student’s record. Be sure to copy the description outlined in the MS Teams notification that is generated. This will provide clarity.
2. ISP Review and Follow-up - ISP - IT Support Center
- When the student calls into the IT Support Center they are to refer them to the ISP online case form.
- Once the student contacts the ISP team they can review the evidence documented within the Student Account Incident smartsheet.
- If the ISP team, after reviewing the uploaded evidence, determines that the student can be reinstated, the ISP representative will update the Student Account Incident smartsheet by marking the star in the "Reinstate Account" column.
- This will send an automated message to the MS Teams SecOps and IT Support Center channel indicating that, when the student calls the IT Support Center, they can assist the student in obtaining access to their account.
- If the ISP Team determines that the account should undergo additional review they will send an email with their findings and supporting documentation to N&G management. The IT Support Center should never reinstate an account unless the ISP Team has completed the reinstatement check box step.
General Student Account Compromise Procedure
The Information Security team actively monitors all student accounts for signs of misuse or compromise. If unauthorized activity is detected, the team will take immediate action to investigate, contain the threat, and, if necessary, remove any possible access to the account to prevent further security risks and potential fraud.
PROCEDURE
1. Identification of Account Mis-Use or Compromise - Information Security
- Identifies an account logging into IWU services in an impossible travel situation.
- Removal of all MFA authentication options from the account
- Reset password of the account
- Revoke all MFA and login sessions from the account. This should disconnect all connections to this account from logged in user[s]
- Complete the Student Account Incident Form. Ensure that all fields are filled out, checked and uploads of supporting proof of mis-use or compromise are uploaded in JPG or Word Doc format.
- Once completed the form will populate Student Account Incident smartsheet and send out an automated post to the MS Teams SecOps and IT Support Center channel.
- A comment needs to be added in iSupport under the student’s record. Be sure to copy the description outlined in the MS Teams notification that is generated. This will provide clarity.
2. IT Support Center / Student Follow Up - IT Support Center
- When the student calls into the IT Support Center they will inform the student that their was activity observed on their IWU account that warranted access to be removed from all current connections to the account.
- The student will need to verify their identity to regain access to their account. This process can be found in the identity verification procedure kb article.
- The Support Center should then edit the student account and clear any comments if the user is verified.
- If the student cannot correctly validate their identity then the ticket will be forwarded to the Information Security Unassigned queue in iSupport for review.
- After the ticket is forwarded, the IT Support Center rep will notify Information Security with any additional details by posting to the MS Teams SecOps and IT Support Center channel.
- Once the student has been cleared for assistance back into their account, Information Security will remove any comments and refer them to IT Support for assistance re-obtaining access.
(Reference) Steps to Add Comments to Student iSupport Record
1. Enter iSupport and go to the search tool in the upper right hand corner [eyeglass icon]
2. Enter in the Student's name and hit the eyeglass search button next to the box.
3. Click on the Student's name when the record appears.
4. Enter into the Comments box: Account tagged as using fraudulent information: Direct student to email iwuenroll@indwes.edu with any questions.
(Reference) Incident Submission Scenarios
Incidents are potentially submitted and populated into the Student Account Incident smartsheet in one of the following scenarios:
- Student account services team manually enters student information into the form after extensive departmental research is completed validating fraudulent activity that necessitates the shutting down of an account.
- Information Security detects anomalous login activity for a general student or ISP student account. The team member will then submit the required information via the Student Account Incident Form. (image below)
4. If a member of the IT Support Center identifies activity that warrants further investigation, they will escalate the issue to the Information Security Team for review. This communication is initiated via the MS Teams SecOps and IT Support Center channel.
5. In certain cases, the IT Support Center may proactively lock a user account without prior authorization from the Information Security Team. This applies specifically to instances where a compromised student account is being used for phishing, and an official security alert has not yet been issued. In such scenarios, this immediate remediation action is both justified and pre-approved. The IT Support Center is then to utilize the form above and attach the required evidence.