California State Polytechnic University, Pomona Network Monitoring Guidelines Developed in consultation with the Information Security Governance Council Al Arboleda, Stephanie Doda, Glendy Yeh, Kevin Morningstar, Lisa Rotunni, Joe Matsumoto, Randall Townsend And University Human Resources, Faculty Affairs, and I&IT Systems Angie Hernandez, George Tejadilla, and Jarod Beekman Final: 12/10/10
Revision Control Document Title: Author: File Reference: CPP Network Monitoring Guidelines Information Security Department Network Monitoring Guidelines121010.doc Date By Action Pages 8/10/10 Al Arboleda Develop Draft 8/12/10 Al Arboleda Update Guidelines 3 12/09/10 Al Arboleda Update Guideline add Chief of Police to consultation process Review/Approval History Date By Action Pages 9/1/10 Angie Hernandez and George, Tejadilla 9/14/10 Information Security Governance Council 12/10/10 Information Technology Governance Council 4 2
Network Monitoring Guidelines Purpose The purpose of this document is to outline university guidelines regarding the monitoring, logging, and retention of network packets that traverse the university network. Cal Poly Pomona takes all reasonable measures to assure the integrity of private and confidential electronic information transported over its networks. The goals of these guidelines are to maintain the confidentiality, integrity, and availability of the university s network infrastructure and information assets. Any inspection of electronic data packets, and any action performed following such inspection, will be governed by all applicable federal and state statutes and by CSU and Cal Poly Pomona policies. Scope This guideline applies to all IT Custodians and IT Owners of department or enterprise information technology resource (including, but not limited to, any networking devices, network monitoring devices, computers acting as network monitoring device, intrusion detection systems other packet sniffing devices, logs of other devices such as firewalls, and flow detectors monitoring network activity) operating on a university network. Guidelines 1. Two groups on campus are authorized to routinely monitor traffic on university networks. These groups are I&IT Systems and the Information Security Office (ISO). 2. The University will not monitor traffic on university networks in most instances, nor will it examine the content of network packets that traverse the university network except under certain circumstances. 3. Authorized staff shall use network monitoring devices only to detect: known patterns of attack or compromise; the improper release of confidential employee or student data; or to troubleshoot and analyze network-based problems. Authorized staff may also analyze certain network-based anomalies to determine the security risk to the university and conduct statistical/operational studies. monitoring shall be as narrow in scope as possible. 4. Authorized staff may not exceed specified scope of monitoring (for example, users, address ranges, protocols, signatures). 3
5. Investigations into allegation of violation of policy or law will require the review and approval of the Chief Information Officer, and the respective Division Vice President before network monitoring can begin. The Chief of University Police will be consulted on violations of law. 6. The ISO will be the contact for investigations into allegations of violations of law or policy 7. The ISO will be the contact for resolution of security-related anomalies or other suspicious activity noticed by representatives in I&IT Systems or in other departments. 8. monitoring points will be architected, approved, and configured by I&IT Systems. Monitoring points and associated devices may not be extended physically or virtually (such as through a VPN) or changed without written approval from I&IT Systems. I&IT Systems shall maintain written records of all monitoring points, architectures, and agreements. 9. Monitored data and usage logs will not be stored past the period of an active investigation. I&IT Systems and the ISO may store incident related data as required. Unrelated monitored data may not be stored by anyone except as required by law. I&IT Systems and the ISO may store aggregated data and usage logs for operational, compliance, and statistical purposes. Usage logs must be purged as per campus policies. 10. Monitoring data stores and logs may not be accessible from the public Internet. personnel must show due care in protection, handling, and storage of all monitored data and logs. Off campus access to monitoring data stores and logs must be authorized and updated by I&IT Systems as part of the monitoring point agreement. 11. I&IT Systems and the ISO have the authority to discontinue service to any network or network device that: is in violation of this policy, has demonstrated an operational hindrance or threat to Cal Poly Pomona network or is a threat to the Internet community, in general. In such cases, I&IT Systems or the ISO shall notify the local campus technician of the disconnection. In less threatening situations, I&IT Systems and ISO representatives will contact the appropriate information technology administrator and inform them of specific actions that must be taken to avoid imminent disconnection. If corrective actions are not implemented as soon as possible, I&IT Systems or the ISO may discontinue service. 12. normal requests for monitoring assistance from external agencies shall be coordinated through the ISO. Exceptional/urgent requests are to be directed to I&IT Systems (24x7x365), which will comply as appropriate and inform the ISO as lawfully allowed. 4
13. I&IT Systems will be responsible for the architecture and operations of all network facilities/functions required for lawful intercept assistance and compliance, and will be responsible for executing all requests as coordinated through the ISO. Departments will comply with all I&IT Systems requirements and assist I&IT Systems to fulfill its legal obligations. 14. It is the role of Information Technology professionals to monitor resources, to identify potential incidents, and to bring such incidents to the attention of appropriate Cal Poly Pomona officials. The following guidelines apply: Suspected incidents involving student, faculty, or staff misuse of information technology resources should be brought to the attention of the ISO. If an investigation involving review of the content of a faculty member, staff member, or student s files is required, permission will be obtained from the Chief Information Officer and the respective Division Vice President, and other departments, as necessary. If it is determined that a misuse violation has occurred by a student, faculty, or staff member, this should be brought to the attention of the ISO. The ISO will consult with the Human Resource department, Office of Judicial Affairs, or Office of Faculty Affairs, as needed, and in the case of criminal violations, the University Police Department. Violations by non-affiliates will be referred to the appropriate authorities. The University Legal Counsel may be contacted to provide direction in terms of identifying the appropriate authority. Issues of departmental non-compliance may be reported to the respective executive Related Policies management, the Office of Internal Audit, or the Office of the President. Cal Poly Pomona Appropriate Use Policy for Information Technology Integrated CSU Administrative Manual - California State University Information Security Policy o Section- Information Technology Security - http://www.calstate.edu/icsuam/sections/8000/8045.0.shtml o Section- Privacy of Personal Information - http://www.calstate.edu/icsuam/sections/8000/8025.0.shtml o Section- Policy Enforcement - http://www.calstate.edu/icsuam/sections/8000/8095.0.shtml 5