Skip to main content

System Status: 

OIA Routine System Monitoring Practices

Learn about routine monitoring practices conducted by IT Services and the Office of Information Assurance.

Notice and Scope

In accordance with the University of California’s Electronic Communications Policy (ECP §5.B) and in support of transparency of operations, the information provided here documents for members of the UC San Diego community, the “routine monitoring practices” of IT Services in general and the Office of Information Assurance (OIA) specifically.

Managing and Securing Digital Services

With the exception of incident investigation, managing and securing digital services does not require access to what the ECP defines as digital content. Where access may seem to be necessary (for example when examining email to remove spam or block phishing attempts) automated systems are used and content rarely needs to be examined by members of ITS or vendor staff. Where services are provided by a third-party, and thus information may be hosted by said third-party (for example Google, Proofpoint, or Zoom), the University negotiates explicit protections for both the privacy and security of University data and service usage data about members of the UC San Diego community. Vendors are not granted a license or access to our data beyond what they need to provide the service. Negotiating these requirements consumes more time and effort than any other part of the procurement process. You can find the baseline templates for UC agreements at https://www.ucop.edu/procurement-services/policies-forms/index.html. The thoroughness of this process is why the university recommends using university-licensed services over personally acquired or consumer services such as Gmail or Dropbox.

Access to Operational Data

While the information generated by specific services is generally only available to the staff responsible for supporting that service, OIA also uses this information in order to monitor for intrusions that our automated systems cannot detect or to perform detailed investigations when malicious activity is identified or suspected. This data is treated with the highest level of confidentiality and even within OIA not every member of the staff has access to the broadest set of data. Data will only be provided outside of the office as required or allowed by law and policy. Our staff understands that access to this information is a privilege, and while necessary to perform our duties, abuse of this access would be met with immediate removal of access and possibly dismissal. The length of time for which data is retained is minimized and varies depending on the value the data brings to incident response as well as the practical issue of storing large data sets. Currently (3/2020) our retention period for data used for security purposes is 60 days, while some networking and vendor stored data is retained for up to one year.

Summary

In summary, routine monitoring at UC San Diego includes but is not limited to the following manual or automated activities:

  1. Scanning for vulnerabilities on systems and applications

  2. Scanning for viruses and other malware

  3. Most administrative systems are scanned for limited forms of PII

  4. Scanning for insecure configurations including aged patch levels, default passwords, open ports, proxies and relays, and digital certificates

  5. Monitoring system, network, and application logs including URL interactions as needed to respond to phishing campaigns

  6. Monitoring network traffic and systems to detect anomalies, such as spikes in usage or evidence of malware activity.

    1. Includes receiving and responding to automated alerts

    2. Includes monitoring in response to a specific security risk or reports of anomalous activity

  7. Monitoring system availability and tracking the utilization of system resources and network bandwidth usage to manage the resources and ensure that bandwidth is available in alignment with the University’s mission

  8. Logging username, date/time and system information for campus provided services

  9. Inspecting transactional information as one step in the process of resolving complaints regarding violations of law or policy, or in response to a specific security risk

  10. Checking for personal identity information (PII) in response to established triggers. 

User consent is not required for this routine system monitoring. For questions pertaining to this statement please email ciso@ucsd.edu.