Policies, Standards, Guides and Procedures
Each section and associated documents listed below has a different target audience within UTC, i.e. those who support the organization (management team), the business process (operations), or the information system (technical team). Collectively the different types of documents represent the University of Tennessee's Information Security Risk Management Framework:
- A University Media Protection policy may state, for example, that all media must be adequately protected during its life cycle.
- A Media Sanitization standard would build upon the above policy by requiring UTC and other campuses and institutes to sanitize information system media, both digital and non-digital, prior to disposal, reuse, or when it is transferred out of UTC's control. The standard references the National Institute of Standards and Technology (NIST) Special Publication 800-53 Media Sanitization security control MP-6.
- A supporting Media Sanitization guideline would explain the best practices for sanitizing media prior to transfer, including requirements for properly erasing data.
- A Media Sanitization procedure would provide step--by-step instructions for the Information Technology technician performing the sanitation task to ensure compliance with the associated policy, standards and guidelines.
Each level of the framework supports the levels above it.
An information security policy consists of high-level statements relating to the protection of information across the university and should be produced by senior management.
Policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. Policy should reference the standards and guidelines that support it. UTC may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy.
Current University Information Technology policies can be found at http://policy.tennessee.edu/it_policy/
|Policy #||SUBJECT||Effective Date|
|IT0110||Acceptable Use of Information Technology Resources||3/11/2015|
|IT0115||Information and Computer System Classification||11/1/2015|
|IT0120||Secure Network Infrastructure||3/11/2015|
|IT0121||Information Security Program Creation, Implementation, and Maintenance||10/1/2014|
|IT0122||Security Incident Reporting and Response||10/1/2014|
|IT0123||Security Awareness, Training, and Education||10/1/2014|
|IT0127||Audit and Accountability||10/16/2015|
|IT0129||Physical and Environmental Protection||10/16/2015|
The following NIST security areas are under review and development into UT policy:
- Access Controls
- Assessment & Authorization
- Media Protection
- Personnel Security
- System & Communications Protection
- System & Information Integrity
- System & Services Acquisition
- Identification & Authentication
- System Maintenance
Standards ensure information security consistency across the University’ of Tennessee campuses and institutes and consist of specific controls that help enforce and support the various information security policies. Standards include security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity.
UT Standards are under development and will be posted here as they are approved. For more information about the NIST Computer Security Special Publications 800 Series and standards please visit:
Guidelines support standards and serve as a reference when no applicable standard is in place and consist of recommended practices. They are not mandatory requirements. They may consist of additional recommended controls that further support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more, whereas a supporting guideline may state that it is best practice to also ensure the password expires after 90 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.
The following are current, UTC-approved IT Security guides:
The following UTC security guide is pending approval:
Procedures consist of instructions to assist workers in implementing the various policies, standards and guidelines. While policies, standards and guidelines consist of security best practices, a procedure specifies how to implement these controls in a step-by-step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.
Department Information Security Liaisons are responsible for ensuring their department and/or system security procedures are documented, reviewed annually, updated, and available to all department personnel.