Network Monitoring Guidelines
The purpose of this document is to outline university policy regarding the monitoring, logging, and retention of network packets that traverse university networks. The University of Texas at Brownsville takes all reasonable measures to assure the integrity of private and confidential electronic information transported over its networks. The goals of this policy are to maintain the confidentiality, Integrity, and availability of the university’s network infrastructure and information assets. Any inspection of electronic data packets, and any action performed following such inspection, will be governed by all applicable federal and state statutes and by university and UT System policies and regulations.
This policy applies to all IT Custodians and IT Owners of department or enterprise information technology resources (including, but not limited to, any networking devices, network monitoring devices, computers acting as network monitoring devices, intrusion detection systems, other packet sniffing devices, logs of other devices such as firewalls, and flow detectors monitoring network activity) operating on a university network.
- Two groups on campus are authorized to routinely monitor traffic on university networks. These groups are Infastructure, Telecomunications and Networking (ITNet) and the Office of Information Security (OIS). Additional campus IT staff may be approved to access and monitor specific traffic on specific networks for which they are responsible. Authorization must be attained from the respective IT Owner(s) of the given College, School, or Unit . The individual(s) must also complete a Position of Special Trust form and undergo a standard background check if not already completed. This approval shall also be communicated to the ISO and ITNet. Authorized personnel must demonstrate a need for and an understanding of the operation of network monitoring devices.
- Authorized staff shall use network monitoring devices only to detect:
Authorized staff may also analyze certain network-based anomalies to determine the security risk to the university and conduct statistical/operational studies. All monitoring shall be as narrow in scope as possible.
- known patterns of attack or compromise;
- the improper release of confidential employee or student data;
- or to troubleshoot and analyze network-based problems.
- Authorized staff may not exceed specified scope of monitoring (for example, users, address ranges, protocols, signatures). Only ITNet and the OIS may monitor public networks and inter-campus networks.
- Personnel authorized to analyze network traffic shall not disclose any information realized in the process without approval of the respective Vice President or department head (with the exception of escalation to the ISO or ITNet for investigation or assistance).
- No authorized personnel shall use network monitoring devices to monitor employee electronic transmissions for job performance evaluation, or as part of an unofficial investigation, without first receiving signed approval from their Vice President.
- The ISO will be the contact for resolution of security-related anomalies or other suspicious activity noticed by representatives in ITNet or in other departments.
- All monitoring points will be architected, approved, and configured by ITNet. Monitoring points and associated devices may not be extended physically or virtually (such as through a VPN) or changed without written approval from ITNet. ITNet shall maintain written records of all monitoring points, architectures, and agreements.
- Monitored data and usage logs will not be stored past the period of active investigation. ITNet and the OIS may store incident related data as required. Unrelated monitored data may not be stored by anyone except as required by law. ITNet and the ISO may store aggregated data and usage logs for operational, compliance, and statistical purposes. Usage logs must be purged as per campus policies.
- Monitoring data stores and logs may not be accessible from the public Internet. All personnel must show due care in protection, handling, and storage of all monitored data and logs. Off campus access to monitoring data stores and logs must be authorized and updated by ITNet as part of the monitoring point agreement.
- ITNet and the ISO have the authority to discontinue service to any network or network device that:
- is in violation of this guideline,
- has demonstrated an operational hindrance or threat to UTB Networks, or
- is a threat to the Internet community, in general.
In such cases, ITNet or the ISO shall notify the local IT-Networking Custodian of the disconnection. In less threatening situations, ITNet and ISO representatives will contact the local network administrator and inform them of specific actions that must be taken to avoid imminent disconnection. If corrective actions are not implemented as soon as possible, ITNet or the ISO may discontinue service.
All normal requests for monitoring assistance from external agencies shall be coordinated through the ISO. Exceptional/urgent requests are to be directed to ITNet (24x7x365), which will comply as appropriate and inform the ISO as lawfully allowed.
ITNet will be responsible for the architecture and operations of all network facilities/functions required for Lawful Intercept assistance and compliance, and will be responsible for executing all requests as coordinated through the ISO. Departments will comply with all ITNet requirements and assist ITNet to fulfill its legal obligations.
Misuse or destruction of information technology resources can vary in severity and appropriate disciplinary actions should be taken in proportion to the severity of the incident. It is not the role of Information Technology professionals to carry out disciplinary actions as the result of an incident, but it is their role to monitor resources, to identify potential incidents and to bring such incidents to the attention of appropriate University of Texas at Brownsville officials. The following guidelines apply:
- Suspected incidents involving student, faculty, or staff misuse of information technology resources should be brought to the attention of the ISO.
- If an investigation involving review of the content of a faculty member, staff member, or student’s files is required, written permission will be obtained from the Office of Legal Affairs and other departments, as necessary.
- If it is determined that a misuse violation has occurred by a student, faculty, or staff member, this should be brought to the attention of the ISO. The ISO will consult with either the Human Resource Services or Student Judicial Services, as needed, and in the case of criminal violations, the University Police Department.
- Violations by non-affiliates will be referred to the appropriate authorities. The Office of Legal Affairs may be contacted to provide direction in terms of identifying the appropriate authority.
- Issues of departmental non-compliance may be reported to the respective executive management, the Office of Internal Audit, or the Office of the President.