An Information Security program must be approached from the highest levels of an organization in order to be effective and sustainable. It must address the Confidentiality, Integrity and Availability of information regardless of how it is handled, processed, transported or stored. UTC's Information Security Program draws from the National Institute of Standards and Technology (NIST) Risk Management Framework and from University of Tennessee state-wide initiatives to address the risks, benefits and processes involved with all of UTC's information resources.
Chief Information Officer (CIO)
The Chief Information Officer is responsible for UTC's entire Information Technology portfolio, including authority over the Information Security program and the performance and effectiveness of its program management.
Senior Information Security Officer (SISO)
UTC's Senior Information Security Officer has the primary responsibility to carry out the CIO's security program plan. The SISO:
- Maintains UTC's Information Security Program.
- Incorporates industry-accepted security standards, guidelines, policy and control techniques.
- Coordinates the development, review, and acceptance of system security plans with system and information owners.
- Promotes Information Security awareness.
- Ensures personnel with expanded system responsibilities are trained in security best practices.
IT Information Security Advisory Team (ISAT)
The InfoSec Advisory Team is a dynamic, multifaceted team with the goal of strengthening UTC's security stance against persistent threats:
- Core Team: Michael Dinkins (SISO, Chair), Dr. Mike Ward (Forensics), Jeff Kell (Network Security Architect), Ron Baker (Client Services), David Bean (UTSA Information Security Analyst). The ISAT Core meets regularly to address current security issues, plan new initiatives and monitor program progress.
- Extended ISAT: Ad Hoc teams are formed to address specific InfoSec issues (e.g. Incidents and response, security plan initiatives, Security Awareness program, IT Administrator Training, etc.);
- Security Liaisons: Select departments/organizations have assigned a security representative to bring security-related issues to the attention of the ISAT and assist in security-related tasks to ensure departmental System Security Plan compliance. Liaisons help promote Information Security awareness within their organization.
The information system owner is the person responsible for the procurement, development, integration, modification and/or operation and maintenance of the system. The System Owner may or may not be the Information Owner. The System Owner works with the SISO and information Owners to develop and maintain individual system security plans.
The information owner is the person of authority for specified information and is responsible for establishing the controls for its creation, collection, processing, transfer, and disposal. The Information Owner may or may not be the System Owner. The Information Owner works with the SISO and System Owner to establish rules for appropriate use and protection of information, appropriate controls to protect the information, and the availability of or accessibility to information resources.
IT Security Community of Practice (CoP)
UT Chattanooga participates in the University of Tennessee's state-wide IT Security Community of Practice (CoP). The IT Security CoP --no pun intended-- provides input directly to the Statewide IT Committee on priorities as they relate to the IT security strategy of the university. It is comprised of Senior Information Security Officers from the various UT campuses and institutes, and they ensure that the Statewide IT Committee has the information it needs on security priorities, best practices, and standards to make decisions concerning IT Priorities & Investments; IT Applications; overall policies and standards; and common data and business processes. These decisions are essential to achieving the ultimate objectives of Statewide IT governance, which are:
- Alignment of IT and University strategy
- Delivery of value by IT to the University
- Responsible use of IT resources
- Management of IT-related risks
- Measurement of IT performance
The Security CoP seeks to establish a balance of autonomy between campus/institute and system on IT security standards, processes, and best practices. This balance shall ensure that each campus/institute’s unique needs are met within the framework of the University’s security posture.
ISO Senior Security Analyst
The UT State-wide Administration's Information Security Office has assigned a Senior System Analyst to work onsite at UTC with the SISO and security team(s) in a consultative role. The ISA provides direct input to the UTC SISO and the UTC InfoSec Advisory Team on security matters originating at the UT System level, e.g. external penetration testing, internal vulnerability testing, and assessments of UT state-wide systems operating at multiple campuses.