Policies, Standards & Guides
Each type of document listed below has a different target audience within UTC; specifically, those who support the organization (management team), the business process (operations), and the information systems (technical team). Collectively the documents represent the University of Tennessee's Information Security Risk Management Framework.
All users of UTC's information technology resources must read, understand and follow the Rules of Behavior and Acceptable Use Policy.
UT policies that establish University best practices for using information technology can be found at http://policy.tennessee.edu/it_policy/, or you can read each published UT Policy here:
- IT0110 - Acceptable Use of Information Technology Resources
- IT0115 - Information and Computer System Classification
- IT0120 - Secure Network Infrastructure
- IT0121 - Information Security Plan Creation, Implementation, & Maintenance
- IT0122 - Security Incident Reporting & Response
- IT0123 - Security Awareness, Training & Education
- IT0124 - Risk Assessment
- IT0125 - Configuration Management
- IT0126 - Accessibility
- IT0127 - Audit and Accountability
- IT0128 - Contingency Planning
- IT0129 - Physical and Environmental Protection
- IT0130 - Personnel Security
- IT0131 - Security Assessment and Authorization
- IT0132 - Identification & Authentication
- IT0133 - Security Planning
- IT0134 - System & Communication Protection
- IT0135 - System and Information Integrity
Standards support University policy and consist of campus-recommended practices. They also serve as campus policy when no UT policy is in place. Standards expand on policy and may fill in the gaps to clarify UTC's Information Technology security stance . The following are links to UTC-specific standards.
- Acceptable Use
- Information & Computer System Classification
- Secure Network
- Security Incident Response & Reporting
- Security Awareness, Training & Education
- Risk Assessment
- Audit and Accountability
- Contingency Planning
- Physical & Environmental Protection
- Personnel Security
- Security Assessment & Authorization
- Identification & Authenetication
- System & Communication Protection
- System & Information Integrity
The following are links to available UTC-specific Standards for UT policies that are planned, under review, but not yet approved.
The following are links to available UTC-specific Guides.
- UTC IT Security Program Plan (upon request via CISO)
- Cybersecurity Incident Response Plan
- Data Storage Guide
- Identity Theft Prevention Program Guide
- Guidelines for Handling Paper-based University Data
While policies consist of a set of controls for security best practices at UTC, a procedure specifies how to implement these controls in a step-by-step fashion. Information System owners are responsible for ensuring their department procedures are documented, reviewed annually, updated, and available to all department personnel.