Intrusion Detection

1. General

Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information resources grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems, some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources:

• Feedback is information that addresses the effectiveness of other components of a security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
• A trigger is a mechanism that determines when to activate planned responses to an intrusion incident.

2. Applicability

This procedure applies to University information resources that store, process, or transmit mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Intrusion Detection. The intended audience for this standard administrative procedure includes, but is not limited to, all information resources management personnel, owners, and system administrators.

3. Definitions

• Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
• Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
• Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.
• Owner of an Information Resource: an entity responsible for:
  • a business function (Department Head)
  • determining controls and access to information resources.

4. Procedures

1. Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.
2. Alarm and alert functions as well as audit logging of any firewalls and other network perimeter access control systems shall be enabled.
3. Audit logs from the network perimeter access control systems shall be monitored/reviewed as risk management decisions warrant.
4. Audit logs for servers and hosts on the internal, protected network shall be reviewed monthly.
5. Host based intrusion tools will be tested on a routine schedule.
6. Reports shall be reviewed for indications of intrusive activity.
7. All suspected and/or confirmed instances of successful intrusions shall be immediately reported according to the University Administration for disposition.