I. STANDARD STATEMENT

This standard serves as a companion to the Standard for Intrusion Detection and provides
for the continuous monitoring that takes place at the system level.

II. RATIONALE

This standard supports HOP Policy 8-12 Information Resources Use and Security Policy

III. SCOPE

This standard applies to all UTSA faculty, staff, and students.

IV. CONTACTS

The Office of Information Security
informationsecurity@utsa.edu

V. PROCEDURES

  1. Security Monitoring provides a means by which to confirm that information resource
    security controls are in place, are effective and are not being bypassed. One of the
    benefits of security monitoring is the early identification of wrongdoing or new security
    vulnerabilities. Early detection and monitoring can prevent possible attacks or minimize
    their impact on computer systems. Other benefits include audit compliance, service level
    monitoring, performance measuring, limiting liability and capacity planning.
  2. The UTSA Standard for Security Monitoring applies to all individuals who are
    responsible for the installation of new information resources, the operations of existing
    information resources and individuals charged with information resource security.

    1. UTSA will use automated tools to provide real-time notification of detected
      wrongdoing and vulnerability exploitation. Where possible, a security baseline
      will be developed and the tools will report exceptions. These tools will be
      deployed by University Technology Solutions (UTS) to monitor UTSA computers
      and devices for:

      1. Internet traffic:
        • SPLUNK
        • ExtraHop
      2. Electronic mail traffic:
        • Spam and Phishing email filters are deployed and monitored/reporting on
        a weekly basis.
      3. LAN traffic, protocols and device inventory:
        • SPLUNK
        • ExtraHop
      4. Operating system security parameters:
        • M365 monitoring tools
        e. Rogue access points/devices:
        • SPLUNK
        • ClearPass
      5. Installed software on servers and desktops:
        • ServiceNow
        • M365 monitoring tools
    2. The following systems will be used to check for signs of illicit activity and
      vulnerability to exploitation at a frequency determined by risk:

      1. Automated intrusion detection system logs:
        • SPLUNK
      2. Firewall logs:
        • SPLUNK
        • Fortinet
        • Juniper
      3. User account logs:
        • M365
        • Elucian system logs
      4. Network scanning logs:
        • Tennable output
      5. System error logs:
        • SPLUNK
      6. Configuration files:
        • System Specific files
      7. Application logs:
        • SPLUNK
      8. Data backup and recovery logs:
        • SPLUNK
      9. TechCafé service tickets:
        • Service-Now
      10. Telephone activity – Call Detail Reports:
        • System specific logs
      11. Network printer and fax logs:
        • System Specific logs
    3. Assigned individuals will monitor the following (at least annually):
      1. Password strength
      2. Unauthorized network devices
      3. Unauthorized personal Web servers
      4. Unsecured sharing of devices
      5. Unauthorized modem use
      6. Operating System and software licenses
    4. For audit purposes, logs will be archived for a minimum of 90 days.
    5. Any security issues discovered will be reported to the Information Security
      Officer (ISO) for follow-up investigation.

OIS 32 – Standard for Security Monitoring
Effective Date: January 1, 2013
Reviewed: June 29, 2020