Audit and Accountability Policy
Version 1.0
Purpose
The purpose of this policy is to ensure best practices are followed for auditing the University’s IT Resources through the implementation, monitoring, management, and retention of auditable data.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- University Information Security Office (UISO) must approve implementing, monitoring, managing, and retaining auditable data.
- The University’s Information Technology (IT) departments must develop an approved documented program for monitoring, managing, and reviewing IT Resources and User activities.
- University’s Information Technology (IT) departments must develop approved standards and processes to guide the implementation and management of audit logs per Logging Standards Policy.
- University’s Information Technology (IT) departments must retain audit logs that meet University retention requirements.
- The audit logs must be consistent with University policies, applicable laws, regulations, and contracts (see the IT Policies library.
Definitions
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Change Control Policy
- Logging Standards Policy
- Log Review Policy
- Records Retention and Disposal Policy
Implementation Information
| Review Frequency: | Biennial |
|---|---|
| Responsible Person: | Director, IT Risk and Data Integrity |
| Approved By: | CISO |
| Approval Date: | March 30, 2020 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 03/30/2020 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.