IT0311 – Information Technology Data Access, Management, and Recovery

SECTION 1. Policy Statement

  1. Objective
    This policy provides guidance and structure for the University to complete sound Data inventory, categorization, protection, handling, and disposal practices, including backup and recovery of University Data, as well as business continuity guidance.
  2. Data Access Policy
    The Central IT Department will create a process for Data Owners and/or Data Stewards to approve access to University Data to ensure that access is authorized, that the protections are done so properly, and that authorized access complies with all applicable federal and state laws, University Policies, and procedures. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.
    1. Access to University Data must be granted following the principle of least privileged access which allows for access to the fewest data types required to perform job functions.
    2. The Central IT Department will create storage standards to protect against unauthorized access to, or loss of, University Data. All University Data will be stored in accordance with these standards.
    3. Only Authorized Users will have access to Protected University Data
      1. Data Owners maintain authority over the collection and use of the associated Data relevant to their functional role and responsibility. Only Data Owners, or their appointed Data Stewards, may authorize access to Protected University Data.
      2. Data Users must only access or attempt to access Data that they are authorized to use.
      3. Data Users must understand the categorization of the Data (reference System-wide Policy: IT0005 – Data Categorization for more information on Data categorization) they are accessing and are responsible for ensuring the security and privacy of the associated Protected University Data by using reasonable measures to prevent access by unauthorized users.
      4. External Third Parties (IT Service providers) must ensure that only authorized employees and/or contractors have access to Protected University Data in accordance with the Data being shared via contractual agreement.
    4. Data Users Will Use Protected University Data Responsibly
      1. Data Users must responsibly use Data to which they have access, including only using the Data for its intended purposes and respecting the privacy of members of the University community.
      2. Data Users and IT Service providers must maintain the confidentiality and integrity of Data in accordance with all applicable laws, regulations, and University Policies.
      3. Authorized access to Protected University Data does not imply authorization for copying, further dissemination of Data, or any use other than the use for which the employee was authorized.
    5. External IT Service Provider Access
      1. Access to Protected University Data by external parties will be governed by individual contractual agreements or memoranda of understanding.
      2. Such agreements will be vetted and approved by the University approved signature authority per campus and institute and by the appropriate Data Owner or their appointed Data Steward(s).
    6. Unauthorized Disclosure of Protected University Data
      1. Unauthorized access to, or disclosure of, Protected University Data must be reported to the campus or institute CISO/DISL immediately according to the campus’s Incident Reporting procedure.
      2. All University personnel must fully cooperate with Incident Response Team to quickly address the situation and minimize risk to the University.
  3. Data Management Policy

The Central IT Department must communicate the requirements and processes for Data management to the campus community annually to engage campus communities and individuals in the shared responsibility of Data management. This includes an explanation of the roles (Data Owner, Data Custodian, Data Steward) and who is assigned each role for the University’s Data. The campus community will follow the requirements and processes for Data management defined by Central IT Department. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.

  1. Data Inventory
    1. The Central IT Department will create a process for the campus community to conduct an inventory of University Data, including Data located on cloud-based services, on an annual basis.
      1. All Data must be categorized according to System-wide Policy: IT0005 – Data Categorization.
      2. All Data must be assigned a Data Owner, Data Steward, and a Data Custodian.
      3. All Protected University Data must be marked accordingly in the Data inventory.
      4. The Data Inventory must include the system(s) that store, process, and/or, transmit the Data type.
      5. Data with specific Data retention needs that are outside those defined in University Policy FI0120 – Records Management must be labeled accordingly.
    2. All Data Owners must contact The Central IT Department upon the creation of, or obtaining, Protected University Data to ensure the Data is tracked within the inventory. The Data Steward and Data Custodian of Protected University Data must also be documented with the Central IT Department.
  2. Data Categorization
    1. The Data Owner is responsible for providing the categorization of the University Data that they are accountable for. The categorization information must be communicated to the Data Steward, the Data Custodian, the Data Users, and the Central IT Department.
    2. The Central IT Department will create a process to:
      1. Establish and enforce labels for Protected University Data.
      2. To review Data categorization labels and their usage on an annual basis.
    3. The Central IT Department must communicate the existence and nature of the Data types to the campus community annually to engage campus communities and individuals in the shared responsibility of Data security.
  3. Data Protection
    1. The Central IT Department must ensure standards and processes are in place to restrict access to University Resources in accordance with a user’s need to know. The Data Custodian must ensure access is configured according to the requirements for the Data that they are responsible for.
    2. The Central IT Department will create a process to encrypt Protected University Data on all Systems both at rest and in transit.
  4. Data Handling
    1. The Central IT Department will create a process for Data retention that adheres to University Policy FI0120 – Records Management. The Data Owner is responsible for ensuring that University retention policies are met.
    2. All Data and documents must be preserved for the appropriate amount of time as dictated by regulatory, legal, and business requirements.
    3. All Data Users are required to adhere to the security controls related to the Data they have access to.
  5. Data Disposal for Protected University Data
    1. The Central IT Department, or other authorized parties, must sanitize Data based on the specified retention timeframes in University Policy FI0120 – Records Management.
    2. All Data Owners, Stewards, Custodians, and Data Users are required to contact the Central IT Department before disposing of Protected University Data.
    3. The Central IT Department will create a process to safely sanitize all electronic media including portable media (e.g., solid state drives (SSDs), digital video discs (DVDs), universal serial bus (USB) Data storage devices), hard disc drives (HDDs), and tape cartridges of Protected University Data.
    4. Data on IT Service Providers (e.g., cloud services) must be disposed of by first requesting the appropriate methods to permanently delete Data stored in their Systems, and then performing those actions according to the received instructions. The Data Owner is responsible for ensuring that the contract with all IT Service Providers includes provisions to meet this requirement.
  6. Implementation Group 2 and 3 Controls
    Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.
    1. The Central IT Department will create a process to establish and maintain an overall categorization scheme for the University (IG2).
      1. Campuses may use labels and categorize their Data according to those labels; and,
      2. Review and update the categorization scheme annually, or when significant University changes occur that could impact this Safeguard.
    2. The Central IT Department will create a process to document the Data Flows (IG2) related to Protected University Data. The process will include the following:
      1. Data Flow documentation including IT Service Provider Data Flows that is based on the University’s Data management process; and,
      2. Documentation review and update annually, or when significant University changes occur that could impact this safeguard.
    3. The Central IT Department will create a process(s) to:
      1. Encrypt Data on removable media (IG2).
      2. Encrypt Protected University Data in transit. Example implementations can include Transport Layer Security (TLS) and Open Secure Shell (OpenSSH) (IG2).
      3. Encrypt Protected University Data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard (IG2).
      4. Segment Data processing and storage based on the sensitivity of the Data (IG2). University Employees (Employee) must not process Protected University Data on University Systems intended for lower-sensitivity Data.
      5. Implement an automated tool, such as a host-based Data Loss Prevention (DLP) to identify all Protected University Data stored, processed, or transmitted through the University’s Resources, including those located onsite or at a remote IT Service Provider, and update the University’s Protected University Data inventory (IG3).
      6. Log Protected University Protected Data access, including modification and disposal (IG3).
  7. Data Recovery Policy

The Central IT Department must communicate the requirements and processes for Data recovery to the campus community annually to engage campus communities and individuals in the shared responsibility of Data recovery. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.

  1. The Central IT Department will provide guidance on business continuity and disaster recovery strategies for all Systems that contain Data that meet the following availability and criticality definitions criteria. Each category listed below will have different guidelines established for the business continuity and disaster recovery strategy.
    1. Business Impact Nominal – Data is unavailable over 2 weeks with minimal to no impact on organizational operations, organizational Assets, or individuals.
    2. Business Impact Low – Data is unavailable for 72 hours to 2 weeks and it could be expected to have an adverse effect on organizational operations, organizational Assets, or individuals.
    3. Business Impact High – Data is unavailable for 72 hours or less and it could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational Assets, or individuals.
    4. Business Impact Critical – Data is related to control Systems that support the University, but if subverted, could be life-threatening to University Employees, students, and others using University facilities (e.g., attending athletic events).
  2. The Data Owner is accountable for determining the Data recovery requirements of the Data that they are responsible for and communicating that information to the Central IT Department or departmental IT contacts.
  3. The Central IT Department will create a process for performing University Data recovery activities for Data on Systems that meet the criteria in Section 1(a)-(c) above.
    1. This process must be documented and approved.
    2. At a minimum, the University Data recovery processes must be reviewed on an annual basis or following changes that drastically increase the risk within the University.
    3. The Central IT Department must identify personnel to handle specific aspects of the University Data-recovery process.
    4. The process must include Data recoverability and backup restore testing procedures.
  4. The Central IT Department must analyze if IT Service Providers used by the University are effectively backing up University Data, and if that Data must be considered within the University Data Recovery Plan as defined in this policy. The analysis will include that the appropriate language is included in the IT Service Provider contract.
  5. The Central IT Department will create a process to backup University Data according to the documented Data recovery process.
    1. Automated tools must be used to meet University Data backup objectives. Automated backups must be performed on a weekly basis, or more frequently.
    2. University Data should be retained in accordance with the Data retention schedule outlined in the FI0120 – Records Management Policy.
    3. Access controls must be used to prevent backups from being accessed or modified in an unauthorized manner.
    4. Where practical, ensure all backups are deleted in accordance with the University Data destruction requirements of this Policy.
    5. Included in the process are the guidelines for periodic backup restorability testing.
    6. The Central IT Department must maintain immutable offsite backups of University Data. Backup Data or the recovery Systems can only be accessible from a secure, controlled IT Network.
  6. During a Security Incident, Reference the System-wide Policy IT0017 – Information Technology Incident Response Management Policy.

Implementation Group 2 and 3 Control

Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.

7. The Central IT Department will create a process to test backup recovery quarterly, or more frequently, for a sampling of in-scope University Systems (IG2).

V. Exceptions

The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.

SECTION 2. Reason for the Policy

This policy establishes the requirements for information technology Data management and Data recovery as described in CIS Control 3 (Data Protection) and CIS Control 11 (Data Recovery) for the University of Tennessee in support of System-wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System-wide Policy: IT0001.

SECTION 3. Scope and Application

This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).

SECTION 4. Procedures

Each campus/institute will adopt procedures related to this policy.

SECTION 5. Definitions

See IT0001 – General Statement on Information Technology Policy for definitions of terms.

SECTION 6. Penalties/Disciplinary Action for Non-Compliance

Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.

The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.

SECTION 7. Responsible Official & Additional Contacts

Subject Matter

Office Name

Telephone Number

Email/Web Address

Policy Clarification and

System Chief

(865) 974-4810 or (865)

cio@tennessee.edu or

Interpretation

Information

974-0637

iso@tennessee.edu

 

Officer and System Chief Information Security Officer

  

Policy Training

System Chief Information Security Officer

(865) 974-0637

iso@tennessee.edu

[Text Wrapping

Break]

SECTION 8. Policy History

Revision 1:

SECTION 9. Related Policies/Guidance Documents

  1. University Policies
    1. IT0001 – General Statement on Information Technology Policy
    2. IT0002 – Acceptable Use of Information Technology Resources
    3. IT0003 – Information Technology Security Program Strategy
    4. IT0004 – Information Technology Risk Management
    5. IT0005 – Data Categorization
    6. IT0014 – Security Awareness Training Management
    7. IT0017 – Information Technology Incident Response Management
    8. IT0102 – Information Technology Asset Management
    9. IT0506 – Information Technology Account and Credential Management
    10. IT1318 – Information Technology Network Monitoring and Defense and Penetration Testing
    11. IT1516 – Information Technology Service Provider Management Application Software Security Management
    12. IT4912 – Information Technology Secure Configuration Management
    13. IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
  2. Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/

Policy Details:

IT0311 – Information Technology Data Access, Management, and Recovery
Version: 1 // Effective: January 23, 2025
PDF icon Downloadable PDF