that network traffic and use of Information Resources is monitored as authorized by applicable law and only for purposes of fulfilling the mission related duty;
Server and network logs are reviewed manually or through automated processes on a scheduled basis based on Risk and regulation to ensure that Information Resources containing Confidential Data are not being inappropriately accessed;
Vulnerability assessments are performed annually, at minimum, to identify software and configuration weaknesses within information systems;
an annual, professionally administered and reported external network penetration test is performed, leveraging peer institution resources, where possible;
that results of log reviews, vulnerability assessments, penetration tests, and IT audits are available to the ISO and that required remediation is implemented; and
all security monitoring shall be executed in accordance to the Network Monitoring Guidelines.