====== Policies - Monitoring Policy ======

At minimum, the **Chief Information Security Officer** must ensure:

  * that network traffic and use of Information Resources is monitored as authorized by applicable law and only for purposes of fulfilling the  mission related duty;
  * Server and network logs are reviewed manually or through automated processes on a scheduled basis based on Risk and regulation to ensure that Information Resources containing Confidential Data are not being inappropriately accessed;
  * Vulnerability assessments are performed annually, at minimum, to identify software and configuration weaknesses within information systems;
  * an annual, professionally administered and reported external network penetration test is performed, leveraging peer institution resources, where possible;
  * that results of log reviews, vulnerability assessments, penetration tests, and IT audits are available to the ISO and that required remediation is implemented; and
  * all security monitoring shall be executed in accordance to the Network Monitoring Guidelines.