POLICIES, STANDARDS, GUIDES AND PROCEDURES
Each section and associated documents listed below has a different target audience within UTC, i.e. those who support the organization (management team), the business process (operations), or the information system (technical team). Collectively the different types of documents represent the University of Tennessee's Information Security Risk Management Framework:
- A University Media Protection policy may state, for example, that all media must be adequately protected during its life cycle.
- The National Institute of Standards and Technology (NIST) Special Publication 800-53, is a standard that includes a Media Sanitization security control, MP-6. This control builds upon the above policy by requiring UTC to sanitize information system media, both digital and non-digital, prior to disposal, reuse, or when it is transferred out of UTC's control.
- A supporting Media Sanitization guideline would explain the best practices for sanitizing media prior to transfer, including requirements for properly erasing data.
- A Media Sanitization procedure would provide step--by-step instructions for the Information Technology technician performing the sanitation task to ensure compliance with the associated policy, standards and guidelines.
Each level of the framework supports the levels above it.
An information security policy consists of high-level statements relating to the protection of information across the university and should be produced by senior management.
Policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. Policy should reference the standards and guidelines that support it. UTC may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy.
Current University policies can be found at:
The following University policies are pending approval:
- System Security Planning Policy 20140616.docx
- Information Security Management Policy 20140616.docx
- Security Incident Policy 20140616.docx
- Security Budget and Resources Policy 20140616.docx
- Security Awareness, Training, and Education Policy 20140616.docx
- Life Cycle Management Policy 20140616.docx
- Contingency Planning and DR Policy 20140616.docx
Policies addressing the following NIST categories of controls are being drafted:
- Access Controls
- Audit and Accountability
- Assessment & Authorization
- Configuration Management
- Media Protection
- Physical & Environmental Protection
- Personnel Security
- Risk Assessment
- System & Communications Protection
- System & Information Integrity
Standards consist of specificlow level controls that help enforce and support the information security policy. The University of Tennessee has adopted the (NIST) computer security Risk Management Framework. Standards help to ensure security consistency across the University’s campuses and institutes and contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.
For more information about NIST Controls please visit: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
For more information about the NIST Computer Security Special Publications 800 Series please visit: http://csrc.nist.gov/publications/PubsSPs.html
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.
The following are approved UTC security guides:
The following UTC security guide is pending approval:
- Identity Theft Prevention Guide
Procedures consist of instructions to assist workers in implementing the various policies, standards and guidelines. While policies, standards and guidelines consist of the controls that should be in place, a procedure specifies how to implement these controls in a step-by-step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.
Department Information Security Liaisons are responsible for ensuring department/system security procedures are documented, reviewed annually, updated, and available to all department personnel.