ºìÐÓ¶ÌÊÓƵ

Policy 3 - Audit Policy

1.0 Purpose

The purpose of this policy is to advise users of security scanning procedures and precautions used by ºìÐÓ¶ÌÊÓƵ State University to audit their network and systems. Other persons or entities, unless authorized, are prohibited from performing any such audits.

Audits may be conducted to:

  • Ensure integrity, confidentiality and availability of information and resources
  • Investigate possible security incidents to ensure conformance to ºìÐÓ¶ÌÊÓƵ Information Technology policies
  • Monitor user or system activity where appropriate

Any questions or comments about this policy should be directed to Information Systems.

2.0 Scope

This policy covers all computer and communication devices owned or operated by ºìÐÓ¶ÌÊÓƵ State University, any computer or communication device connected to the ºìÐÓ¶ÌÊÓƵ network and corresponding systems, any computer or communication device which has been connected to the ºìÐÓ¶ÌÊÓƵ network if it is believed such computer or communication device has been used contrary to any ºìÐÓ¶ÌÊÓƵ Information Technology policy while so connected and all computers and communication devices that are attempting in any manner to interact or interface with the ºìÐÓ¶ÌÊÓƵ network and systems. 

3.0 Policy

ºìÐÓ¶ÌÊÓƵ State University shall utilize auditing software to perform electronic scans of their networks, servers, switches/routers, firewalls and/or any other systems at ºìÐÓ¶ÌÊÓƵ State University. This also includes scans of any electronic communication and e-mails regardless of by or to whom the communications are sent. ºìÐÓ¶ÌÊÓƵ State University shall maintain a log of authorized users' login activity and monitor for unauthorized access.

These tests may include:

  • User and/or system level access to any computing or communications device
  • Access to information that may be produced, transmitted or stored on ºìÐÓ¶ÌÊÓƵ State University equipment or premises
  • Access to work areas (labs, offices, cubicles, storage areas, etc.)
  • Access to interactively monitor and log traffic on ºìÐÓ¶ÌÊÓƵ State University networks
  • Penetration testing
  • Password Auditing
  • Scanning for Personally Identifiable Information

3.1 Network Control

Internal security testing on all ºìÐÓ¶ÌÊÓƵ State University owned networks requires the prior approval of the Chief Information Officer. This includes all computers and equipment that are connected to the network at the time of the test.

3.2 Data Inventory Schedule

ºìÐÓ¶ÌÊÓƵ State University shall conduct periodic inventories of data assets on a regular basis. The frequency of inventory assessments shall be determined based on the sensitivity and criticality of the data, but at minimum shall be conducted annually.

During the inventory process, all data assets shall be identified, including but not limited to:

  • Personally identifiable information (PII)
  • Confidential business data
  • Intellectual property
  • Financial records
  • Health records
  • Regulatory data

Each data asset shall be documented with its collection, storage and transmission locations. This includes physical and digital repositories, network paths, cloud services and any third-party systems where the data resides or is processed.

3.3 Application Security Assessment

All institution-developed applications shall undergo a comprehensive security assessment before deployment and periodically thereafter. The assessment process may include, but not be limited to:

  • Vulnerability scanning
  • Penetration testing
  • Code review
  • Security architecture review
  • Security assessment and questionnaire for 3rd party software vendors

4.0 Enforcement

Anyone found to have violated this policy may be subject to disciplinary action according to personnel policies and procedures. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with ºìÐÓ¶ÌÊÓƵ State University.

5.0 Definitions

ºìÐÓ¶ÌÊÓƵ State University Network

Being connected to a ºìÐÓ¶ÌÊÓƵ State University network includes the following:

  • If you have a network capable device (ex. laptop) plugged into a ºìÐÓ¶ÌÊÓƵ State University owned building via Ethernet cable, then you are connected to the ºìÐÓ¶ÌÊÓƵ LAN (local area network).
  • If you have a wireless capable device (ex. laptop, iPhone) and connect to one of the approved SSIDs, then you are connected to the ºìÐÓ¶ÌÊÓƵ WLAN (wireless local area network).

If you connect from a computer through the ºìÐÓ¶ÌÊÓƵ State University VPN (virtual private network) or approved remote access software, you are then connected to the ºìÐÓ¶ÌÊÓƵ LAN (local area network).



Policy adopted:  02-25-2011
Revision adopted:  08-21-2024
Policy approval and adoption: ºìÐÓ¶ÌÊÓƵ State University President's Office and Information Systems Security

Take the next step

© ºìÐÓ¶ÌÊÓƵ State University Department of Web ManagementWe are Racers.