The university monitors security controls for information resources on an ongoing basis.


  • The intended audience includes the Chief Information Security Officer (CISO), information resource owners and custodians. This Control applies to all information resources with a high or moderate impact level.


  • 1

    The CISO, in consultation with information resource owners, shall develop a continuous monitoring strategy and implement a continuous monitoring program that includes:

    • 1.1

      Establishment of the information resource metrics to be monitored;

    • 1.2

      Establishment of a methodology for monitoring and a methodology for assessments supporting such monitoring;

    • 1.3

      Ongoing security control assessments in accordance with the university's continuous monitoring strategy;

    • 1.4

      Ongoing security status monitoring of university defined metrics in accordance with university continuous monitoring strategy;

    • 1.5

      Correlation and analysis of security related information generated by assessments and monitoring;

    • 1.6

      Response actions to address results of the analysis of security-related information; and

    • 1.7

      Reporting the security status of the university and information resources to the Chief Information Officer and President annually.

  • 2

    The CISO, in consultation with information resource owners, shall also ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

    • 2.1

      Effectiveness monitoring;

    • 2.2

      Compliance monitoring; and

    • 2.3

      Change monitoring