At minimum, the Chief Information Security Officer must ensure:

• that network traffic and use of Information Resources is monitored as authorized by applicable law and only for purposes of fulfilling the mission related duty;
• Server and network logs are reviewed manually or through automated processes on a scheduled basis based on Risk and regulation to ensure that Information Resources containing Confidential Data are not being inappropriately accessed;
• Vulnerability assessments are performed annually, at minimum, to identify software and configuration weaknesses within information systems;
• an annual, professionally administered and reported external network penetration test is performed, leveraging peer institution resources, where possible;
• that results of log reviews, vulnerability assessments, penetration tests, and IT audits are available to the ISO and that required remediation is implemented; and
• all security monitoring shall be executed in accordance to the Network Monitoring Guidelines.