1 California State Polytechnic University, Pomona Network Monitoring Guidelines Developed in consultation with the Information Security Governance Council Al Arboleda, Stephanie Doda, Glendy Yeh, Kevin Morningstar, Lisa Rotunni, Joe Matsumoto, Randall Townsend And University Human Resources, Faculty Affairs, and I&IT Systems Angie Hernandez, George Tejadilla, and Jarod Beekman Final: 12/10/10
2 Revision Control Document Title: Author: File Reference: CPP Network Monitoring Guidelines Information Security Department Network Monitoring Guidelines doc Date By Action Pages 8/10/10 Al Arboleda Develop Draft 8/12/10 Al Arboleda Update Guidelines 3 12/09/10 Al Arboleda Update Guideline add Chief of Police to consultation process Review/Approval History Date By Action Pages 9/1/10 Angie Hernandez and George, Tejadilla 9/14/10 Information Security Governance Council 12/10/10 Information Technology Governance Council 4 2
3 Network Monitoring Guidelines Purpose The purpose of this document is to outline university guidelines regarding the monitoring, logging, and retention of network packets that traverse the university network. Cal Poly Pomona takes all reasonable measures to assure the integrity of private and confidential electronic information transported over its networks. The goals of these guidelines are to maintain the confidentiality, integrity, and availability of the university s network infrastructure and information assets. Any inspection of electronic data packets, and any action performed following such inspection, will be governed by all applicable federal and state statutes and by CSU and Cal Poly Pomona policies. Scope This guideline applies to all IT Custodians and IT Owners of department or enterprise information technology resource (including, but not limited to, any networking devices, network monitoring devices, computers acting as network monitoring device, intrusion detection systems other packet sniffing devices, logs of other devices such as firewalls, and flow detectors monitoring network activity) operating on a university network. Guidelines 1. Two groups on campus are authorized to routinely monitor traffic on university networks. These groups are I&IT Systems and the Information Security Office (ISO). 2. The University will not monitor traffic on university networks in most instances, nor will it examine the content of network packets that traverse the university network except under certain circumstances. 3. Authorized staff shall use network monitoring devices only to detect: known patterns of attack or compromise; the improper release of confidential employee or student data; or to troubleshoot and analyze network-based problems. Authorized staff may also analyze certain network-based anomalies to determine the security risk to the university and conduct statistical/operational studies. monitoring shall be as narrow in scope as possible. 4. Authorized staff may not exceed specified scope of monitoring (for example, users, address ranges, protocols, signatures). 3
4 5. Investigations into allegation of violation of policy or law will require the review and approval of the Chief Information Officer, and the respective Division Vice President before network monitoring can begin. The Chief of University Police will be consulted on violations of law. 6. The ISO will be the contact for investigations into allegations of violations of law or policy 7. The ISO will be the contact for resolution of security-related anomalies or other suspicious activity noticed by representatives in I&IT Systems or in other departments. 8. monitoring points will be architected, approved, and configured by I&IT Systems. Monitoring points and associated devices may not be extended physically or virtually (such as through a VPN) or changed without written approval from I&IT Systems. I&IT Systems shall maintain written records of all monitoring points, architectures, and agreements. 9. Monitored data and usage logs will not be stored past the period of an active investigation. I&IT Systems and the ISO may store incident related data as required. Unrelated monitored data may not be stored by anyone except as required by law. I&IT Systems and the ISO may store aggregated data and usage logs for operational, compliance, and statistical purposes. Usage logs must be purged as per campus policies. 10. Monitoring data stores and logs may not be accessible from the public Internet. personnel must show due care in protection, handling, and storage of all monitored data and logs. Off campus access to monitoring data stores and logs must be authorized and updated by I&IT Systems as part of the monitoring point agreement. 11. I&IT Systems and the ISO have the authority to discontinue service to any network or network device that: is in violation of this policy, has demonstrated an operational hindrance or threat to Cal Poly Pomona network or is a threat to the Internet community, in general. In such cases, I&IT Systems or the ISO shall notify the local campus technician of the disconnection. In less threatening situations, I&IT Systems and ISO representatives will contact the appropriate information technology administrator and inform them of specific actions that must be taken to avoid imminent disconnection. If corrective actions are not implemented as soon as possible, I&IT Systems or the ISO may discontinue service. 12. normal requests for monitoring assistance from external agencies shall be coordinated through the ISO. Exceptional/urgent requests are to be directed to I&IT Systems (24x7x365), which will comply as appropriate and inform the ISO as lawfully allowed. 4
5 13. I&IT Systems will be responsible for the architecture and operations of all network facilities/functions required for lawful intercept assistance and compliance, and will be responsible for executing all requests as coordinated through the ISO. Departments will comply with all I&IT Systems requirements and assist I&IT Systems to fulfill its legal obligations. 14. It is the role of Information Technology professionals to monitor resources, to identify potential incidents, and to bring such incidents to the attention of appropriate Cal Poly Pomona officials. The following guidelines apply: Suspected incidents involving student, faculty, or staff misuse of information technology resources should be brought to the attention of the ISO. If an investigation involving review of the content of a faculty member, staff member, or student s files is required, permission will be obtained from the Chief Information Officer and the respective Division Vice President, and other departments, as necessary. If it is determined that a misuse violation has occurred by a student, faculty, or staff member, this should be brought to the attention of the ISO. The ISO will consult with the Human Resource department, Office of Judicial Affairs, or Office of Faculty Affairs, as needed, and in the case of criminal violations, the University Police Department. Violations by non-affiliates will be referred to the appropriate authorities. The University Legal Counsel may be contacted to provide direction in terms of identifying the appropriate authority. Issues of departmental non-compliance may be reported to the respective executive Related Policies management, the Office of Internal Audit, or the Office of the President. Cal Poly Pomona Appropriate Use Policy for Information Technology Integrated CSU Administrative Manual - California State University Information Security Policy o Section- Information Technology Security - o Section- Privacy of Personal Information - o Section- Policy Enforcement - 5
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Executive Summary FLORIDA DEPARTMENT OF EDUCATION On September 23, 2013, following the Governor's Education Summit, Governor Rick Scott released an Executive Order announcing a plan for policy improvements
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
Security Policy: Best Practices White Paper Document ID: 13601 Introduction Preparation Create Usage Policy Statements Conduct a Risk Analysis Establish a Security Team Structure Prevention Approving Security
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
University of Georgia Telecommunications Policy for Wireless Devices/Cellular Telephones, Long Distance Usage, and Home/Off Campus Internet Access BACKGROUND OPB Policy Memorandum No. 4 (Revision 8) effective
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
Physical Security Policy Template The Free iq Physical Security Policy Generic Template has been designed as a preformatted framework to enable your Practice to produce a Policy that is specific to your
Federal Trade Commission Privacy Impact Assessment Mobile Device Management System February 2015 1 1. Overview The FTC Mobile Device Management (MDM) System includes three separate components that provide
POLICY 802 Page 1 of 5 Subject: Information Technology and Data Standards Effective: September 1, 2001 Revised: 1.0 PURPOSE This policy defines minimum standards for the information technology (IT) and
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.3 Prepared by: CJIS Information
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
Pur pose The purpose of this policy is to establish direction, procedures, requirements, and responsibilities to ensure the appropriate protection of the Lisbon Public Schools computer and telecommunication
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication of the In coordination with the Federal Cloud Compliance Committee
Justice Management Division Privacy Impact Assessment for the Personal Identity Verification (PIV) Card System Issued by: Stuart Frisch, Senior Component Official for Privacy Reviewed by: Vance E. Hitch,
University of California, Merced Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI) Responsible Officials: Executive Vice Chancellor and Provost Vice Chancellor
Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the
Ch. 709 FREESTANDING FACILITIES 28 CHAPTER 709. STANDARDS FOR LICENSURE OF FREESTANDING TREATMENT FACILITIES Subchap. Sec. A. GENERAL PROVISIONS... 709.1 B. LICENSING PROCEDURES... 709.11 C. GENERAL STANDARDS
Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract
NETWORK SECURITY POLICY 1. GENERAL Henry County Board of Education (Board) provides employees appropriate electronic access, consisting of e- mail communication, network connectivity, student information
Riverside Community College District Policy No. 7700 Human Resources BP 7700 WHISTLEBLOWER PROTECTION References: California Labor Code Section 1102.5; Government Code Section 53296; Private Attorney General