The intended audience includes the Chief Information Security Officer (CISO), information resource owners and custodians. This Control applies to all information resources with a high or moderate impact level.

The CISO, in consultation with information resource owners, shall develop a continuous monitoring strategy and implement a continuous monitoring program that includes:

• 1.1

  Establishment of the information resource metrics to be monitored;

• 1.2

  Establishment of a methodology for monitoring and a methodology for assessments supporting such monitoring;

• 1.3

  Ongoing security control assessments in accordance with the university's continuous monitoring strategy;

• 1.4

  Ongoing security status monitoring of university defined metrics in accordance with university continuous monitoring strategy;

• 1.5

  Correlation and analysis of security related information generated by assessments and monitoring;

• 1.6

  Response actions to address results of the analysis of security-related information; and

• 1.7

  Reporting the security status of the university and information resources to the Chief Information Officer and President annually.

The CISO, in consultation with information resource owners, shall also ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

• 2.1

  Effectiveness monitoring;

• 2.2

  Compliance monitoring; and

• 2.3

  Change monitoring