Incident Monitoring consists of activities such as the review of: user account logs, application logs, data backup and recovery logs, automated intrusion detection system logs, etc.


  • This control applies to all information resource owners and custodians, and third parties who are responsible for Texas A&M University information resources. Common events such as malware or other events that are detected, mitigated, and resources restored within a reasonable amount of time with locally available unit resources are not included in these procedures. The intended audience is all individuals that are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security.


  • 1

    Incident monitoring of information resources should be included as part of ongoing information resource monitoring (See Control SI-4 Information System Monitoring) and shall be implemented based on risk management decisions by the information resource owner.

    • 1.1

      Information resources containing Critical or Confidential data shall, at a minimum, enable operating system logging features. Automated tools shall be used where deemed beneficial by the information resource owner or designee.

    • 1.2

      Information resources not containing Critical or Confidential data may enable operating system logging features and other security monitoring features.

    • 1.3

      Network security monitoring will be conducted by the Texas A&M IT Security Operations team. Any other monitoring shall be coordinated with them. They can be contacted through the IT Help Desk at (979) 845-8300.

    • 1.4

      Logs and other data generated by security monitoring shall be reviewed periodically based on risk management decisions by the information resource owner or designee.

  • 2

    Where feasible, a security baseline shall be developed and automated detection tools shall report exceptions for high impact information resources.

  • 3

    Any significant security issues discovered and all signs of unauthorized activity shall be reported according to Control IR-6, Incident Reporting.