Policies, Standards & Guides

Each type of document listed below has a different target audience within UTC; specifically, those who support the organization (management team), the business process (operations), and the information systems (technical team).  Collectively the documents represent the University of Tennessee's Information Security Risk Management Framework.  


All users of UTC's information technology resources must read, understand and follow the Rules of Behavior and Acceptable Use Policy.

UT policies that establish University best practices for using information technology can be found at  http://policy.tennessee.edu/it_policy/, or you can read each published UT Policy here:

  • IT0110  - Acceptable Use of Information Technology Resources
  • IT0115  - Information and Computer System Classification
  • IT0120 - Secure Network Infrastructure
  • IT0121  - Information Security Plan Creation, Implementation, & Maintenance
  • IT0122 - Security Incident Reporting & Response
  • IT0123 - Security Awareness, Training & Education
  • IT0124 - Risk Assessment
  • IT0125 - Configuration Management
  • IT0126 - Accessibility
  • IT0127 - Audit and Accountability
  • IT0128 - Contingency Planning
  • IT0129 - Physical and Environmental Protection
  • IT0130 - Personnel Security
  • IT0131 - Security Assessment and Authorization
  • IT0132 - Identification & Authentication
  • IT0133 - Security Planning
  • IT0134 - System & Communication Protection 
  • IT0135 - System and Information Integrity



Standards support University policy and consist of campus-recommended practices.  They also serve as campus policy  when no UT policy is in place.  Standards expand on policy and may fill in the gaps to clarify UTC's Information Technology security stance .  The following are links to UTC-specific standards.  

The following are links to available UTC-specific Standards for UT policies that are planned,  under review, but not yet approved.



The following are links to available UTC-specific Guides.



While policies consist of a set of controls for security best practices at UTC, a procedure specifies how to implement these controls in a step-by-step fashion.  Information System owners are responsible for ensuring their department procedures are documented, reviewed annually, updated, and available to all department personnel.