Tarleton OITS Security Monitoring Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Security Monitoring Standard

Effective: February 11, 2020

Revised: May 29, 2026

Procedure Summary

Tarleton State University’s (Tarleton or university) has the right to examine information on information resources that are under the control or custody of the university. Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of: user account logs, application logs, data backup and recovery logs, automated intrusion detection system logs, etc.

Tarleton information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. This standard applies to all university-managed information resources containing mission critical information, confidential information, and other information resources as may be managed by Tarleton.

The purpose of the security monitoring standard is to ensure that information resource security controls are in place, are effective, and are not being bypassed. In addition, this standard provides a set of measures that will mitigate information security risks associated with security monitoring. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. This standard applies to all individuals, users, and/or administrators of Tarleton information resources, especially those who are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security.

Please see the Tarleton Security Controls Catalog, specifically SI-4: System Monitoring and Tarleton OITS Privacy Standard for additional information and requirements.

Procedures and Responsibilities

Automated tools will provide real-time notifications and appropriate response, as necessary, of detected wrongdoing and vulnerability exploitation. Where possible, a security baseline will be developed and the tools will report exceptions.
Any security issues discovered will be reported to the Chief Information and Security Officer (CISO) for follow-up investigation.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university.

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.