IT0121 – Information Security Plan Creation, Implementation, and Maintenance


To establish policy for developing and maintaining an information security program at The University of Tennessee.


This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee including its campuses, institutes, and administration (University and/or Campuses).

“Users” includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University’s information technology resources.

Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties.


The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series of publications, and this policy is based on those guidelines.

The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus.

Each Campus must develop or adopt and adhere to a program that demonstrates compliance with this policy and related standards. This program is the responsibility of the Position of Authority.

Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University IT resources.


  1. General Policy
    1. The University IT Security Community of Practice shall create information technology (IT) security policies that provide guidance to the campuses on the implementation of an IT security program based on the National Institute of Standards and Technology (NIST) Risk Management Framework.
    2. Each campus and institute is responsible for creating, approving, maintaining, and implementing:
      1. An information security plan based on the National Institute of Standards and Technology (NIST) Risk Management Framework.
      2. Procedures, plans, and guidelines that document the implementation strategies and steps for compliance with university policy.
    3. Each campus information security plan and documented procedures shall contain the following at a minimum:
      1. Identification and assignment of related security responsibilities including who is responsible for accepting risk at each campus and institute.
      2. A description of the baseline controls in place or planned for meeting the security requirements.
      3. Interconnecting systems and related Interconnection Security Agreements (ISAs).
      4. Campus senior management approval.
    4. Each campus shall periodically review its information security plan and documented procedures based on the risk and classification of the information and/or system.
    5. A documented implementation strategy must accompany each campus information security plan including elements such as scope, timelines of implementation, risk evaluation, and a clear explanation of the proposed information and system categorization process.
  2. Exceptions
    1. Requests for exceptions to system IT Security Policies must be submitted in writing to the campus Chief Information Officer or their designee, who will approve or deny the request for an exception.
    2. All exceptions must be kept on file with the Chief Information Officer or their designee.
  3. Review
    1. All IT Security policies must be reviewed at least annually and approved by the IT Security Community of Practice.

Note: The data breach notification requirements are defined in the Security Incident Reporting and Response Policy.


  1. NIST 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”

Last Reviewed: January 13, 2016