Description

The university monitors security controls for information resources on an ongoing basis.

Applicability

  • The intended audience includes the Chief Information Security Officer (CISO), information resource owners and custodians.

Implementation

  • 1

    The CISO, in consultation with information resource owners, shall develop a continuous monitoring strategy and implement a continuous monitoring program that includes:

    • 1.1

      Establishment of the information resource metrics to be monitored;

    • 1.2

      Establishment of a methodology for monitoring and a methodology for assessments supporting such monitoring;

    • 1.3

      Ongoing security control assessments in accordance with the university's continuous monitoring strategy;

    • 1.4

      Ongoing security status monitoring of university defined metrics in accordance with university continuous monitoring strategy;

    • 1.5

      Correlation and analysis of security related information generated by assessments and monitoring;

    • 1.6

      Response actions to address results of the analysis of security-related information; and

    • 1.7

      Reporting the security status of the university and information resources to the Chief Information Officer and President annually.