Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information resources grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems, some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources:
1. Feedback is information that addresses the effectiveness of other components of a security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
2. A trigger is a mechanism that determines when to activate planned responses to an intrusion incident.
This procedure applies to University information resources that store, process, or transmit mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Intrusion Detection. The intended audience for this standard administrative procedure includes, but is not limited to, all information resources management personnel, owners, and system administrators.
1. Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.
2. Alarm and alert functions as well as audit logging of any firewalls and other network perimeter access control systems shall be enabled.
3. Audit logs from the network perimeter access control systems shall be monitored/reviewed as risk management decisions warrant.
4. Audit logs for servers and hosts on the internal, protected network shall be reviewed monthly.
a. Host based intrusion tools will be tested on a routine schedule.
b. Reports shall be reviewed for indications of intrusive activity.
5. All suspected and/or confirmed instances of successful intrusions shall be immediately reported according to the University Information Security Standard Administrative Procedure, Incident Management.
University Information Security Standard Administrative Procedure, Incident Management
Last Updated March 31, 2014
To request a change to this page or to request access to make changes yourself, email helpdesk@tamuc.edu.