Skip to main content

CA-7 Continuous Monitoring

Description

The university monitors security controls for information resources on an ongoing basis.

Applicability

  • The intended audience includes the Chief Information Security Officer (CISO), information resource owners and custodians. This Control applies to all information resources with a high or moderate impact level.

Implementation

  • 1 - The CISO, in consultation with information resource owners, shall develop a continuous monitoring strategy and implement a continuous monitoring program that includes:

    • 1.1 - Establishment of the information resource metrics to be monitored;
    • 1.2 - Establishment of a methodology for monitoring and a methodology for assessments supporting such monitoring;
    • 1.3 - Ongoing security control assessments in accordance with the university's continuous monitoring strategy;
    • 1.4 - Ongoing security status monitoring of university defined metrics in accordance with university continuous monitoring strategy;
    • 1.5 - Correlation and analysis of security related information generated by assessments and monitoring;
    • 1.6 - Response actions to address results of the analysis of security-related information; and
    • 1.7 - Reporting the security status of the university and information resources to the Chief Information Officer and President annually.

  • 2 - The CISO, in consultation with information resource owners, shall also ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

    • 2.1 - Effectiveness monitoring;
    • 2.2 - Compliance monitoring; and
    • 2.3 - Change monitoring