UCSC ITS Routine System Monitoring Practices

I. Routine system monitoring activities

Authorized UCSC ITS employees and contracted service providers who operate and support UCSC electronic communications resources routinely monitor those resources for the purpose of ensuring their integrity, reliability and security. Routine monitoring at UC Santa Cruz includes but is not limited to the following manual or automated activities:

1. Scanning for vulnerabilities on systems and applications
2. Scanning for viruses and other malware
3. Scanning for insecure configurations in support of UC Minimum Security Standard, including aged patch levels, default passwords, open ports, proxies and relays, and digital certificates
4. Monitoring system, network, and application logs as defined in UCSC’s Log Procedures
5. Monitoring network traffic and systems to detect anomalies, such as spikes in usage or evidence of malware activity.
   1. Includes receiving and responding to automated alerts
   2. Includes monitoring in response to a specific security risk or reports of anomalous activity
6. Monitoring system availability and tracking the utilization of system resources and network bandwidth usage to manage the resources and ensure that bandwidth is available in alignment with the University’s mission
7. Logging userid, date/time and system information about ResNet users’ network connections. These records are used to ensure the security and operation of ResNet as well as to respond to copyright infringement notices.
8. Inspecting transactional information as one step in the process of resolving complaints regarding violations of law or policy, or in response to a specific security risk
9. Checking for personally identifiable information (PII) in response to established triggers. See UCSC PII Inventory and Security Breach Procedures, Section IV.B.3, for details.
   1. The System Steward and affected data owners shall be notified prior to performing a scan and where possible shall be informed of scan results indicating the potential presence of PII.
   2. Scan results must be properly protected and disposed of.
10. For computers managed with IBM Endpoint Manager software, routine monitoring includes computer hardware and software information, including details of computer configuration and settings, and diagnostic information for troubleshooting. All routine monitoring of this information, both automated and manual, is for the purposes of managing the computer and troubleshooting computer problems.
11. Other routine monitoring may also be documented in individual service level agreements.

Except as indicated above, user consent is not required for this routine system monitoring.

II. Related policies and principles

The UC Electronic Communications Policy (UC ECP) establishes conditions under which personnel who perform routine monitoring, as described above, may observe or inspect the contents of network traffic, electronic communications, or transactional information during this monitoring. In all cases, individuals must adhere to the following principles:

1. Only authorized personnel who have a need to access this data and who understand the restrictions on its use shall have access to it.
2. Routine monitoring activities shall be limited to the least perusal and retention required to ensure the reliability and security of systems.
3. Except as provided in the UC ECP or by law, individuals will not seek out the contents of network traffic, electronic communications, or transactional information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed. If in the course of their duties, authorized personnel inadvertently discover or suspect improper activity in violation of law or policy, such violations should be reported to management or the Whistleblower Office.
4. If it is necessary to examine suspect electronic communications records beyond routine practices, the user’s consent must be obtained. If obtaining prior consent is not possible or practical, authorization and notification procedures consistent with the UC ECP must be followed.

-----------------

Rev. 8/1/14