IT0003 – Information Technology Security Program Strategy

SECTION 1. Policy Statement

1. Objective
   
   This policy provides guidance and structure for the University to implement a sound information technology security program for the University.
2. Information Technology Security Strategy Policy
   1. Each campus and institute CIO/DTL is responsible for approving an Information Technology Security Program Strategy (Strategy) as developed by their designated CISO/DISL.
   2. The campus or institute CISO/DISL is responsible for creating, maintaining, and implementing the Strategy, including procedures and guidance documents that:
      1. Documents the implementation strategies and steps for compliance with the Center for Internet Security (CIS) Critical Security Controls (CSC) Implementation Group 1 (IG1) at a minimum.
      2. Documents the proposed implementation strategies and steps for compliance with the CIS CSC Implementation Group 2 by January 1, 2027, and Implementation Group 3 by January 1, 2029.
      3. Documents the implementation strategies and steps for compliance with other security frameworks as needed per contractual requirements.
      4. Identifies and assigns the security responsibilities including who is responsible for evaluating and accepting risk at each campus and institute.
      5. Has campus/institute senior management approval.
   3. The campus or institute CIO/DTL will document an annual review of its Strategy, including procedures, best practices, and guidelines based on risk management principles and categorization of the University Data. Reference System-wide Policies IT0004 – Information Technology Risk Assessment and IT0005 – Data Categorization for guidance on establishing a risk-based approach and categorization of Data respectively.
   4. A documented implementation workplan must accompany each campus or institute Strategy that includes scope, timelines of implementation and risk evaluation and mitigation, and must include a clear explanation of how the Data and System categorization process is integrated into the Strategy.
3. Exceptions
   The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.

SECTION 2. Reason for the Policy

This policy establishes the requirements for developing and maintaining an Information Technology Security Program Strategy for the University of Tennessee in support of System-wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System- wide Policy: IT0001.

SECTION 3. Scope and Application

This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).

SECTION 4. Procedures

Each campus/institute will adopt procedures to implement the controls necessary to adhere to this policy.

SECTION 5. Definitions

See IT0001 – General Statement on Information Technology Policy for definitions of terms.

SECTION 6. Penalties/Disciplinary Action for Non-Compliance

Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.

The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.

SECTION 7. Responsible Official & Additional Contacts

Subject Matter	Office Name	Telephone Number	Email/Web Address
Policy Clarification and Interpretation	System Chief Information Officer and System Chief Information Security Officer	(865) 974-4810 or (865) 974-0637	cio@tennessee.edu or iso@tennessee.edu
Policy Training	System Chief Information Security Officer	(865) 974-0637	iso@tennessee.edu

[Text Wrapping

Break]

SECTION 8. Policy History

SECTION 9. Related Policies/Guidance Documents

1. University Policies
   1. IT0001 – General Statement on Information Technology Policy
   2. IT0002 – Acceptable Use of Information Technology Resources
   3. IT0004 – Information Technology Risk Management
   4. IT0005 – Data and Computer System Categorization
   5. IT0014 – Security Awareness Training Management
   6. IT0017 – Information Technology Incident Response Management
   7. IT0102 – Information Technology Asset Management
   8. IT0311 – Information Technology Data Access, Management, and Recovery
   9. IT0506 – Information Technology Account and Credential Management
   10. IT1318 – Information Technology Network Monitoring and Defense and Penetration Testing
   11. IT1516 – Information Technology Service Provider Management Application Software Security Management
   12. IT4912 – Information Technology Secure Configuration Management
   13. IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
2. Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/