Policies, Guides, Plans & Procedures

Each type of document listed below has a different target audience within UTC; specifically, those who support the organization (management team), the business process (operations), and the information systems (technical team).  Collectively the documents represent the University of Tennessee's Information Security Risk Management Framework.  

Policies

Current University Information Technology policies can be found at  http://policy.tennessee.edu/it_policy/  

Guides

Guides support policy and University standards, consist of recommended practices. and serve as a reference when no applicable policy is in place.  Guides are not mandatory requirements however, they do expand on policy and may fill in the policy gaps to clarify the UTC security stance where no specific standard applies.

The following UTC-specific IT Security guides align with approved UT policy (or UT policy being developed):

Plans

The following plans provide more detailed guidance for employees in response to specific threats or events:

Procedures

Procedures are the set of instructions for employees to carry out University policy.  While policies consist of a set of controls for security best practices, a procedure specifies how to implement these controls in a step-by-step fashion.  Information System owners are responsible for ensuring their department procedures are documented, reviewed annually, updated, and available to all department personnel. 

Standards

Standards ensure information security consistency across the University’ of Tennessee campuses and institutes and consist of specific controls that help enforce and support the various information security policies.    UT draws from the National Institute of Standards and Technology (NIST) Computer Security Special Publications 800 Series.  For more information please visit: 

http://csrc.nist.gov/publications/PubsSPs.html

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf