Standard 17: Cybersecurity Program Monitoring
| Revision Number: | 1 |
|
| Effective Date: | 2/24/2020 | |
| Revised Date: | 2/24/2020 | |
| Review Date: | 2/24/2020 | |
|
Responsible Division/Department:
Office of the CIO / Information Technology Services |
||
- That network traffic and use of information resources is monitored as authorized by applicable law and only for purposes of fulfilling the University's mission
- Server and network logs are reviewed manually or through automated processes on a regular basis as dictated by risk and regulation to ensure that information resources containing sensitive data are not being inappropriately accessed
- Vulnerability assessments are performed on all servers on a routine basis (at least weekly) to identify software and configuration weaknesses within information systems. Critical and high vulnerabilities are to be mitigated within 5 business days of discovery
- An annual, professionally administered and reported external network penetration test is performed. This penetration test should use a different 3rd party vendor each year
- That results of log reviews, vulnerability assessments, penetration tests, and IT audits are reviewed and that any required remediations are implemented as resources allow