The Chief Information Security Officer (CISO) serves as the Director IT Security and is responsible for oversight of information systems security at the University of Tennessee Chattanooga. The CISO is an advocate for UTC’s total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of the university.
IT Security Program Essentials
The Mission of the information security office is to:
- Provide usable security policies, guidelines and best practices under a program of cyclic, continuous improvement.
- Increase computer user awareness of persistent threats.
- Provide meaningful security training for users and organizations.
- Assist and consult UTC organizations in developing, implementing and maintaining system security plans.
- Preserve the Confidentiality, Integrity and Availability (C-I-A) of university or personal information.
- Provide timely response to security events and incidents.
There are three noteworthy facets of the UTC IT Security Program:
- Program Management
- Network Defense
- Incident Response
Information Security Program Management
The IT Security & Projects Office concentrates on the human side of the "firewall" against threats and that involves policy, procedure, systems security plans, training, etc. The CISO maintains the IT Campus Security Program plan and a cycle of continuous improvement. In addition to the campus security plan the CISO collaborates with departments (identified to be higher risk to the university) to implement more comprehensive individualized Systems Security Plans.
Some time, somewhere, someone will click on an email link or on an advertisement at their favorite Internet site and unintentionally download malicious software (i.e. malware) into their UTC computer. Sometimes when that happens the malware begins scanning the UTC computer and starts sending chunks of data to its mother computer back home in a foreign country far, far away. UTC network engineers monitor that type of activity and... as soon as they can determine what's going on... they disable the UTC network switch port connected to the computer. Unsuspecting of what just happened, the UTC computer user can no longer get email, get on the Internet, or connect to their shared folder of department files....so they contact Client Services. Client Services issues a service order to pick up the UTC computer and remove the malware. The process allows for computer forensics to be performed on images of computers that are suspect in transferring data. Forensic reports are issued and archived and appropriate parties are informed of the results. A team of IT and security staff visit the department to review the incident and provide awareness training.
In addition to the above, the information security initiative includes:
- IT Security Advisory Team (ISAT). As the name implies, the ISAT advises the CISO and senior leadership on matters of information security policy, threat, risk, vulnerability, response, training and the overarching security program plan of action. The ISAT is comprised of a core team to address infosec issues on an ongoing basis. Also, expanded ad hoc teams are created to focus specific issues.
- Security Liaisons. Some UTC departments have been categorized as a higher risk due to their critical systems operations, sensitive information and/or compliance requirements. Higher risk to information resources infers greater impact to the university should their systems be compromised. These departments have assigned Security Liaisons to work with the security team(s) to help implement the stricter System Security Plans that will strengthen their departments' security stance.
- UT Statewide Administration Security Community of Practice (UTSA Security CoP). The IT Security CoP provides input directly to the Statewide IT Committee on priorities
as they relate to the IT security strategy of the university. The Security CoP ensures
that the Statewide IT Committee has the information it needs on security priorities,
best practices, and standards to make decisions concerning IT Priorities & Investments;
IT Applications; overall policies and standards; and common data and business processes.
These decisions are essential to achieving the ultimate objectives of Statewide IT
governance, which are:
- Alignment of IT and University strategy
- Delivery of value by IT to the University
- Responsible use of IT resources
- Management of IT-related risks
- Measurement of IT performance
The Security Community of Practice seeks a balance of autonomy between campus/institute and system on IT security standards, processes, and best practices. This balance shall ensure that each campus/institute’s unique needs are met within the framework of the University’s security posture.