Skip to main content

Audit and Accountability Policy

Version 1.0

Purpose

The purpose of this policy is to ensure best practices are followed for auditing the University’s IT Resources through the implementation, monitoring, management, and retention of auditable data.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • University Information Security Office (UISO) must approve the methods of implementing, monitoring, managing, and retaining auditable data.
  • The University’s Information Technology (IT) departments must develop an approved documented program for the monitoring, management, and review of IT Resources and User activities.
  • University’s Information Technology (IT) departments must develop approved standards and processes to guide the implementation and management of audit logs per Logging Standards Policy.
  • University’s Information Technology (IT) departments must retain audit logs that meet University retention requirements.
  • The audit logs must be consistent with University policies, applicable laws, regulations, and contracts, see the IT Policies library.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: March 30, 2020

Revision History

Version: Date: Description:
1.0 03/30/2020 Initial document

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.