Intrusion Detection Policy

1.0 Overview
This policy provides policies to establish intrusion detection and security monitoring to protect resources and data on the organizational network. It provides guidelines about intrusion detection implementation of the organizational networks and hosts along with associated roles and responsibilities.

2.0 Purpose
This policy is designed both to protect the confidentiality of any data that may be stored on the mobile computer and to protect the organizational network from being infected by any hostile software when the mobile computer returns. This policy also considers wireless access.

3.0 Scope
This policy covers every host on the organizational network and the entire data network including every path that organizational data may travel that is not on the internet. Paths covered by this policy even include organizational wireless networks. Other policies cover additional security needs of the organizational network and systems.

4.0 Objectives

  1. Increase the level of security by actively searching for signs of unauthorized intrusion.
  2. Prevent or detect the confidentiality of organizational data on the network.
  3. Preserve the integrity of organizational data on the network.
  4. Prevent unauthorized use of organizational systems.
  5. Keep hosts and network resources available to authorized users.
  6. Increase security by detecting weaknesses in systems and network design early.

5.0 Requirements

  1. All systems accessible from the internet or by the public must operate IT approved active intrusion detection software during anytime the public may be able to access the system.
  2. All systems in the DMZ must operate IT approved active intrusion detection software.
  3. All host based and network based intrusion detection systems must be checked on a daily basis and their logs reviewed.
  4. All intrusion detection logs must be kept for a minimum or 30 days.

6.0 Notification

  1. Any suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to the organizational IT computer security office within 1 hour.

7.0 Roles

  1. The intrusion detection team shall:
    1. Monitor intrusion detection systems both host based and network based.
    2. Check intrusion detection logs daily.
    3. Determine approved intrusion detection systems and software.
    4. Report suspicious activity or suspected intrusions to the incident response team.
  2. The incident response team shall:
    1. Act on reported incidents and take action to minimize damage, remove any hostile or unapproved software, and recommend changes to prevent future incidents. Action shall be based on the approved incident response plan.