UTC's Information Security Program draws from the National Institute of Standards and Technology (NIST) Risk Management Framework and from University of Tennessee state-wide initiatives to address the risks, benefits and processes involved with all of UTC's information resources. IT Security addresses the confidentiality, integrity and availability (C-I-A) of information regardless of how it is handled, processed, transported or stored.
Chief Information Officer (CIO)
The Chief Information Officer is responsible for UTC's entire Information Technology portfolio, including authority over the Information Security program and the performance and effectiveness of its program management.
Chief Information Security Officer (CISO)
UTC's Chief Information Security Officer has the primary responsibility to carry out the CIO's security program plan. The CISO:
- Maintains UTC's Information Security Program.
- Incorporates industry-accepted security standards, guidelines, policy and control techniques.
- Coordinates the development, review, and acceptance of system security plans with system and information owners.
- Promotes Information Security awareness.
- Ensures personnel with expanded system responsibilities are trained in security best practices.
IT Information Security Advisory Team (ISAT)
The InfoSec Advisory Team is a dynamic, multifaceted team with the goal of strengthening UTC's security stance against persistent threats:
- Core Team: Michael Dinkins (CISO, Chair), Dr. Mike Ward (Forensics), Christopher Howard (Network Security Architect), Tony Parsley (Client Services). The ISAT Core meets monthly to address current security issues, plan new initiatives and monitor InfoSec program progress.
- Extended ISAT: Ad Hoc teams are formed to address specific InfoSec issues (e.g. Incidents and response, security plan initiatives, Security Awareness program, IT Administrator Training, etc.);
- Security Liaisons: Select departments/organizations have assigned a security representative to bring security-related issues to the attention of the ISAT and assist in security-related tasks to ensure departmental System Security Plan compliance. Liaisons help promote Information Security awareness within their organization.
The information system owner is the person responsible for the procurement, development, integration, modification and/or operation and maintenance of the system. The System Owner may or may not be the Information Owner. The System Owner works with the CISO and information Owners to develop and maintain individual system security plans.
The information owner is the person of authority for specified information and is responsible for establishing the controls for its creation, collection, processing, transfer, and disposal. The Information Owner may or may not be the System Owner. The Information Owner works with the CISO and System Owner to establish rules for appropriate use and protection of information, appropriate controls to protect the information, and the availability of or accessibility to information resources.
IT Security Community of Practice (CoP)
UT Chattanooga participates in the University of Tennessee's state-wide IT Security Community of Practice (CoP). The IT Security CoP --no pun intended-- provides input directly to the Statewide IT Committee on priorities as they relate to the IT security strategy of the university. It is comprised of Senior Information Security Officers from the various UT campuses and institutes, and they ensure that the Statewide IT Committee has the information it needs on security priorities, best practices, and standards to make decisions concerning IT Priorities & Investments; IT Applications; overall policies and standards; and common data and business processes. These decisions are essential to achieving the ultimate objectives of Statewide IT governance, which are:
- Alignment of IT and University strategy
- Delivery of value by IT to the University
- Responsible use of IT resources
- Management of IT-related risks
- Measurement of IT performance
The Security CoP seeks to establish a balance of autonomy between campus/institute and system on IT security standards, processes, and best practices. This balance shall ensure that each campus/institute’s unique needs are met within the framework of the University’s security posture.
The Information Security Analyst (ISA) provides direct input to the UTC CISO and the UTC InfoSec Advisory Team on matters pertaining to risk and vulnerability in the UTC departments. The ISA is the primary assessor that works with the departments to locate Social Security Numbers and Credit Cards on storage devices, and performs security best practice reviews in the offices.