Policies, Guides, Plans & Procedures

Each type of document listed below has a different target audience within UTC; specifically, those who support the organization (management team), the business process (operations), and the information systems (technical team).  Collectively the documents represent the University of Tennessee's Information Security Risk Management Framework.  

Policies

All users of UTC's information technology resources must read, understand and follow the Rules of Behavior and Acceptable Use Policy.

Additional policies that establish University best practices for using information technology can be found at  http://policy.tennessee.edu/it_policy/  

Guides

Guides support University policy and standards, consist of recommended practices, and serve as a reference when no applicable policy is in place.  Guides are not mandatory requirements, however, they do expand on policy and may fill in the gaps to clarify UTC's security stance where no specific standard applies.  The following are links to UT policy and associated UTC-specific guides.  

  • UT Policy IT0110  - Acceptable Use of Information Technology Resources
    • UTC Guide: Refer to UT Policy IT0110

  • UT Policy IT0115  -  Information and Computer System Classification
    • UTC Guide:  IT0115-G

  • UT Policy IT0120  -  Secure Network Infrastructure
    • UTC Guide:  IT0120-G

  • UT Policy IT0121 -  Information Security Plan Creation, Implementation, & Maintenance
    • UTC Guide:  IT0121-G

  • UT Policy IT0122 -  Security Incident Reporting & Response
    • UTC Guide:  Cybersecurity Incident Response Plan

  • UT Policy IT0123 - Security Awareness, Training & Education
    • UTC Guide:  IT0123-G

  • UT Policy IT0124 -  Risk Assessment
    • UTC Guide:  IT0124-G

  • UT Policy IT0125 -  Configuration Management
    • UTC Guide:  IT0125-G

  • UT Policy IT0126  -  Accessibility
    • UTC Guide: Refer to UT Policy IT0126

  • UT Policy IT0127 - Audit and Accountability
    • UTC Guide:  IT0127-G

  • UT Policy IT0128 -  Risk Assessment
    • UTC Guide:  IT0128-G

  • UT Policy IT0129 - Physical and Environmental Protection
    • UTC Guide:  IT0129-G

  • UT Policy IT0130 - Personnel Security
    • UTC Guide:  IT0130-G

  • UT Policy IT0131 - Security Assessment and Authorization
    • UTC Guide:  IT0131-G

 

DRAFT GUIDES.  The following are links to available Guides for UT policies that are planned,  under review, but not yet approved.

  • UT Policy IT0XXX - System and Information Integrity
    • UTC Guide:  System & Information Integrity Guide

  • UT Policy IT0XXX - Media Protection
  • UT Policy IT0XXX - System and and Services Acquisition
    • UTC Guide: System and and Services Acquisition Guide

  • UT Policy IT0XXX - System Maintenance

 

MISCELLANEOUS GUIDES.  The following are links to available UTC-specific Guides.

    • UTC Data Storage Guide

    • ID Theft Prevention Program Guide

 

Procedures

While policies consist of a set of controls for security best practices at UTC, a procedure specifies how to implement these controls in a step-by-step fashion.  Information System owners are responsible for ensuring their department procedures are documented, reviewed annually, updated, and available to all department personnel. 

Standards

Standards ensure consistency across the University’ of Tennessee campuses and institutes and consist of specific controls that help enforce and support the various information security policies.    UT draws from the National Institute of Standards and Technology (NIST) Computer Security Special Publications 800 Series.  For more information please visit: 

http://csrc.nist.gov/publications/PubsSPs.html

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf