Handbook of Operating Procedures > Series 700 Information Resources > 7.5.5 Security Monitoring

7.5.5 Security Monitoring

A. Purpose

To ensure that Information Resource security controls are in place, are effective, and are not being bypassed. 

B. Persons Affected

All individuals responsible for the installation of new Information Resources, the operations of existing Information Resources and individuals charged with Information Resource Security for University of Texas at Tyler (the "University").

C. Definitions

1. Information Resources (IR) - Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, Network Infrastructure, personal computers, notebook computers, hand-held computers, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. 
2. Confidential Data- Information that must be protected from unauthorized disclosure or public release based on state or federal law, (e.g. the Texas Public Information Act and other constitutional, statutory, judicial, and legal agreements). Examples of Confidential data may include but are not limited to: 
   1. protected health information under HIPAA 
   2. protected student information under FERPA 
   3. credit card numbers associated with an individual's name

   The unauthorized destruction, disclosure or modification of Confidential information would be expected to have a severe or catastrophic adverse effect on organization operations, organizational assets, or on individuals. 

3. Information Security Officer (ISO)- Responsible to executive management for administering the information security functions within the University. The ISO is the University's internal and external point of contact for all information security matters. 

D. Policy

One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. This early identification can help to block the wrongdoing or vulnerability before harm can be done, or at least to minimize the potential impact. Other benefits include audit compliance, service level monitoring, performance measuring, limiting liability, and capacity planning.

The ISO has the authority to monitor IR on behalf of the Univeristy as directed by official policy or executive order. At minimum, the ISO must ensure:

• that network traffic and use of IR is monitored as authorized by applicable law and only for purposes of fulfilling a UT System or University mission related duty;
• server and network logs are reviewed, manually or through automated processes on a scheduled basis based on risk and regulation to ensure that IR containing Confidential Data are not being inappropriately accessed;
• annual vulnerability assessments are performed to identify software and configuration weaknesses within information systems maintained in both Centralized and Decentralized IT; 

• an annual external network penetration test is performed by a qualified and, independent third-party, which may be another university; and 

that results of log reviews, vulnerability assessments, and network penetration tests are available to the ISO and required remediation is implemented 

Disciplinary Actions

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University IR access privileges, civil and criminal prosecution.

E. References

UTS165 Information Resources Use and Security Policy

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.