SECTION 1. Policy Statement
- Objective
This policy provides guidance and structure for the University to implement a sound information technology security program for the University. - Information Technology Security Strategy Policy
- Each campus and institute CIO/DTL is responsible for approving an Information Technology Security Program Strategy (Strategy) as developed by their designated CISO/DISL.
- The campus or institute CISO/DISL is responsible for creating, maintaining, and implementing the Strategy, including procedures and guidance documents that:
- Documents the implementation strategies and steps for compliance with the Center for Internet Security (CIS) Critical Security Controls (CSC) Implementation Group 1 (IG1) at a minimum.
- Documents the proposed implementation strategies and steps for compliance with the CIS CSC Implementation Group 2 by January 1, 2027, and Implementation Group 3 by January 1, 2029.
- Documents the implementation strategies and steps for compliance with other security frameworks as needed per contractual requirements.
- Identifies and assigns the security responsibilities including who is responsible for evaluating and accepting risk at each campus and institute.
- Has campus/institute senior management approval.
- The campus or institute CIO/DTL will document an annual review of its Strategy, including procedures, best practices, and guidelines based on risk management principles and categorization of the University Data. Reference System-wide Policies IT0004 – Information Technology Risk Assessment and IT0005 – Data Categorization for guidance on establishing a risk-based approach and categorization of Data respectively.
- A documented implementation workplan must accompany each campus or institute Strategy that includes scope, timelines of implementation and risk evaluation and mitigation, and must include a clear explanation of how the Data and System categorization process is integrated into the Strategy.
- Exceptions
The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.
SECTION 2. Reason for the Policy
This policy establishes the requirements for developing and maintaining an Information Technology Security Program Strategy for the University of Tennessee in support of System-wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System- wide Policy: IT0001.
SECTION 3. Scope and Application
This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).
SECTION 4. Procedures
Each campus/institute will adopt procedures to implement the controls necessary to adhere to this policy.
SECTION 5. Definitions
See IT0001 – General Statement on Information Technology Policy for definitions of terms.
SECTION 6. Penalties/Disciplinary Action for Non-Compliance
Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.
The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.
SECTION 7. Responsible Official & Additional Contacts
Subject Matter |
Office Name |
Telephone Number |
Email/Web Address |
Policy Clarification and Interpretation |
System Chief Information Officer and System Chief Information Security Officer |
(865) 974-4810 or (865) 974-0637 | |
Policy Training |
System Chief Information Security Officer |
(865) 974-0637 |
[Text Wrapping
Break]
SECTION 8. Policy History
SECTION 9. Related Policies/Guidance Documents
- University Policies
- IT0001 – General Statement on Information Technology Policy
- IT0002 – Acceptable Use of Information Technology Resources
- IT0004 – Information Technology Risk Management
- IT0005 – Data and Computer System Categorization
- IT0014 – Security Awareness Training Management
- IT0017 – Information Technology Incident Response Management
- IT0102 – Information Technology Asset Management
- IT0311 – Information Technology Data Access, Management, and Recovery
- IT0506 – Information Technology Account and Credential Management
- IT1318 – Information Technology Network Monitoring and Defense and Penetration Testing
- IT1516 – Information Technology Service Provider Management Application Software Security Management
- IT4912 – Information Technology Secure Configuration Management
- IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
- Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/