BP.02.004 - Business Practice for Intrusion Detection

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.02.004
  • Version: 1
  • Drafted By: Herb Aquino
  • Approved By: Michael Berman
  • Approval Date: 08/31/2010
  • Latest Revision Date: 11/21/2012

Purpose [top]

Document the use of intrusion detection systems on the Channel Islands network.

Background [top]

Channel Islands T&C must take steps to protect the confidentiality, integrity, and availability of the University's information assets. To this end, Channel Islands T&C operates one or more intrusion detection systems on the Channel Islands network. Intrusion detection systems, or IDS, are designed to passively monitor the network and serve as a record of suspected intrusion events to support T&C investigations and quality assurance. 

Monitoring of the University network by T&C employees to ensure quality of service, and to protect information assets, is permitted under Federal and state law, and required by the  Integrated California State University Administrative Manual (ICSUAM), Policy 8045.500.

Business Practice [top]

Accountability [top]

Manager of Infrastructure

Applicability [top]

All users

Definition(s) [top]

Text [top]

Intrusion Detection Systems

Channel Islands T&C operates one or more intrusion detection system sensors on the University network, including at least one device each in the Demilitarized Zone and the internal campus network. These devices are designed to monitor the University network looking for traffic that matches known or suspected attack patterns. Network traffic matching known or suspected attack patterns is retained by the sensor device and forwarded to a central logging server. The central logging server retains the traffic and provides for analysis and correlation with other T&C logs.

IDS systems additionally provide insights into the performance and behavior of devices on the University network. A mis-configured device, or a device that has been compromised, may generate traffic that causes IDS alerts.

Use of IDS Logs and Retention of Data

IDS logs are only used to investigate, or respond to, information security incidents, and to ensure quality of service. IDS logs are retained for not longer than thirty days. In conjunction with other logs maintained by T&C, IDS logs may be used to identify the person responsible for a network security incident.

IDS logs may contain personally-identifiable or other security-sensitive information and are treated as Confidential, Level 1 data by T&C, and will not be disclosed to anyone except as required by law or University policy. However, in cases where a University employee, member of the faculty, or student is responsible for an information security incident, T&C may disclose pertinent entries in IDS logs to the appropriate disciplinary authorities only with the express consent of the VP for Technology & Communication.

Within T&C, access to IDS logs is limited to T&C Infrastructure personnel, the VP for Technology & Communication, and the Information Security Officer or designee. In addition, access to IDS logs may be made available to the VISC to assist the campus in analysis and/or response.

Reviewing Effectiveness

Channel Islands T&C will annually review the effectiveness of its intrusion detection systems as part of its ongoing review of its security incident response practice.

Exhibit(s) [top]

Assessment History [top]

Description Frequency Role Assigned
General review of this business practice.                        Annual              Manager, Infrastructure       
Review of IDS Effectiveness. Annual Manager, Infrastructure
©