IT0127 – Audit and Accountability
Objective:
To establish an Audit and Accountability Policy for managing risk and implementing best practices with regard to the creation and the retention of audit evidence.
Scope:
This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee including its campuses, institutes, and administration (University and/or Campuses).
“Users” includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University’s information technology resources.
Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties.
Principles:
The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series of publications, and this policy is based on those guidelines.
The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus.
Each Campus must develop or adopt and adhere to a program that demonstrates compliance with this policy and related standards. This program is the responsibility of the Position of Authority.
Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University IT resources.
Policy:
The University Information Technology organizations must develop or adopt and adhere to a formal documented program for the monitoring, management, and review of system, application, network, and user activity. Standards and procedures must be developed to guide the implementation and management of audit controls and records. Audit records must be retained to meet University retention requirements.
All policy related standards and procedures must be consistent with applicable laws, regulations, and guidance. This policy and all associated standards and procedures as well as their implementation effectiveness must be reviewed periodically and updated as needed.
References:
- NIST Special Publication 800-53
- University of Tennessee Statewide Controls Baseline
- University of Tennessee Records Management Policy FI0120
Last Reviewed: October 14, 2015