IT Security Program Essentials
The Chief Information Security Officer (CISO) serves as the Director IT Security and is responsible for oversight of information systems security at the University of Tennessee Chattanooga. The CISO is an advocate for UTC’s total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of the university.
There are three noteworthy facets of the UTC IT Security Program:
- Program Management
- Network Defense
- Incident Response
The IT Security and Projects Office concentrates on the human side of the "firewall" against threats that involves policy, procedure, systems security plans and training. The CISO maintains the IT Campus Security Program plan and a cycle of continuous improvement. In addition to the campus security plan the CISO collaborates with departments (identified to be higher risk to the university) to implement more comprehensive individualized Systems Security Plans.
The UTC Information Security Office monitor the university networks for malicious activity. Information Security will use these network monitoring capabilities to notify individuals and university units of systems where problems are detected. We will not investigate monitored data at the level of an individual user, but will investigate at the individual level when an appropriate triggering event occurs on its security systems (such as the antivirus system). Authorized investigators include Information Security Office staff and also IT Professionals in the units where an event is triggered."
Data Retention Limits
Data from security systems and network monitoring systems will be maintained for a maximum of one year unless otherwise required by law. Any retention of data beyond the maximum of one year will require a revision to policy per the regular policy press.
At some point, someone will click on an email link or on an advertisement to their favorite Internet site and unintentionally download malicious software (i.e. malware) into their UTC computer. Sometimes when that happens the malware begins scanning the UTC computer and starts sending chunks of data to its mother computer back home in a foreign country far, far away. UTC network engineers monitor that type of activity and disable the UTC network switch port connected to the computer. Unsuspecting of what just happened, the UTC computer user can no longer get email, access the Internet or connect to their shared folder of department files; so they contact Client Services.
Client Services issues a service order to pick up the UTC computer and remove the malware. The process allows for computer forensics to be performed on images of computers that are suspect in transferring data. Forensic reports are issued and archived and IT will review the incident and provide awareness training.
In addition to the above, the information security initiative includes:
- IT Security Advisory Team (ISAT). As the name implies, the ISAT advises the CISO and senior leadership on matters of information security policy, threat, risk, vulnerability, response, training and the overarching security program plan of action. The ISAT is comprised of a core team to address infosec issues on an ongoing basis. Also, expanded ad hoc teams are created to focus specific issues.
- Security Liaisons. Some UTC departments have been categorized as a higher risk due to their critical systems operations, sensitive information and/or compliance requirements. Higher risk to information resources infers greater impact to the university should their systems be compromised. These departments have assigned Security Liaisons to work with the security team(s) to help implement the stricter System Security Plans that will strengthen their departments' security stance.
- UT Statewide Administration Security Community of Practice (UTSA Security CoP). The IT Security CoP provides input directly to the Statewide IT Committee on priorities
as they relate to the IT security strategy of the university. The Security CoP ensures
that the Statewide IT Committee has the information it needs on security priorities,
best practices, and standards to make decisions concerning IT Priorities & Investments;
IT Applications; overall policies and standards; and common data and business processes.
These decisions are essential to achieving the ultimate objectives of Statewide IT
governance, which are:
- Alignment of IT and University strategy
- Delivery of value by IT to the University
- Responsible use of IT resources
- Management of IT-related risks
- Measurement of IT performance
The Security Community of Practice seeks a balance of autonomy between campus/institute and system on IT security standards, processes, and best practices. This balance shall ensure that each campus/institute’s unique needs are met within the framework of the University’s security posture.