This policy establishes the University’s general cybersecurity framework, roles and responsibilities for university constituents as they relate to information technology policies and procedures, the University’s rights, and definitions for terms used throughout System-wide information technology policies.

This policy establishes the guidelines and expectations for the acceptable use of the University’s Information Technology Assets, Systems, Resources, and Data.

This policy provides guidance and structure for the University to implement a sound information technology security program for the University.

This policy provides guidance and structure for the University to establish a risk-based Information Technology Security Program Strategy for the University.

This policy provides guidance and structure for the University to properly categorize the University’s Data to ensure that the appropriate controls are in place to provide the most effective protections.

The University of Tennessee (UT) strives to deploy information, materials, and technology that have been designed, developed, or procured to be accessible to individuals with disabilities, including those who use assistive technologies.

This policy provides guidance and structure to the University to establish an information technology security awareness program strategy that enhances the ability to recognize threats and react accordingly.

This policy provides guidance and structure for the University to develop and maintain a thorough written incident response plan that includes a written process for Users to report incidents and guidance for security issues that cross multiple campus and institute boundaries.

This policy provides guidance and structure for the University to create and maintain sound processes for procuring, identifying, tracking, maintaining, and disposing of all University Information Technology Assets.

This policy provides guidance and structure for the University to complete sound Data inventory, categorization, protection, handling, and disposal practices, including backup and recovery of University Data, as well as business continuity guidance.

This policy provides guidance and structure for the University to establish User Account lifecycle management and inventory processes of University accounts used for access to University Information Technology Resources. This will include guidelines for credential creation and issuance, account and credential usage, modifying access, and account termination.

This policy provides guidance and structure for the University to establish appropriate control mechanisms for securing the University Information Technology Networks and to create a Penetration Testing process.

This policy provides guidance and structure for the University to establish an IT Service Provider program that manages inventory, classifies each IT Service Provider, ensures that IT Service Provider contracts include security requirements, and securely decommissions IT Service Providers. This policy also provides guidance and structure for University to establish and maintain a secure application development process including a process to accept and address reports of software vulnerabilities.

This policy provides guidance and structure for the University to establish configuration guidelines for University Assets, as well as cloud platforms deployed for University use.

This policy provides guidance and structure for the University to establish sound processes for performing Vulnerability Management, for performing threat and vulnerability monitoring, for creation and maintenance of audit logs, and for installation of anti-malware software on all University Assets.