Tarleton Office of Innovative Technology Solutions (OITS)
Intrusion Detection Standard

Effective: February 11, 2020

Revised: April 25, 2025

Procedure Summary

Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information systems grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems, some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources.

Feedback is information that addresses the effectiveness of other components of a security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
A trigger is a mechanism that determines when to activate planned responses to an intrusion incident

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. This standard applies to Tarleton State University information resources that store, process, or transmit mission critical and/or confidential information.

The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with intrusion detection. There may be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. The intended audience for this standard includes, but is not limited to, all information resources data owners, management personnel, and system administrators.

Please see the Tarleton Security Controls Catalog, specifically the Incident Response (IR) family, for additional information and requirements.

Procedures and Responsibilities

Prevention and Detection
- Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.
- Alarm and alert functions, as well as audit logging of any firewalls and other network perimeter access control systems, shall be enabled.
- Audit logs from the network perimeter access control systems shall be monitored/reviewed as risk management decisions warrant.
- Audit logs for servers and hosts on the internal, protected network shall be reviewed as warranted based on risk management decisions. The system administrator will furnish any audit logs as requested by appropriate university personnel.
  - Host-based intrusion tools will be tested on a routine schedule.
  - Reports shall be reviewed for indications of intrusive activity.
- All suspected and/or confirmed instances of successful intrusions shall be immediately reported to the Tarleton Information Security Officer (ISO)/Chief Information Security Officer (CISO). Information resource users are encouraged to report any anomalies in system performance and/or signs of unusual behavior or activity to the Office of Innovative Technology Solutions (OITS) Help Desk/Service Desk at helpdesk@tarleton.edu. Please see the Tarleton Security Controls Catalog IR-6, Incident Reporting for additional information.
- System administrators shall keep abreast of industry best practices regarding current intrusion events and methods to detect intrusions. Intrusion detection methods shall be utilized as needed.
Response and Recovery
- Based on the assessment of risk, appropriate action should be taken to protect Tarleton information resources, see the Tarleton Security Controls Catalog, specifically the Incident Response (IR) family, for additional information and resources.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.