IT1318 – Information Technology Network Monitoring and Defense and Penetration Testing

SECTION 1. Policy Statement

1. Objective
   This policy provides guidance and structure for the University to establish appropriate control mechanisms for securing the University Information Technology Networks and to create a Penetration Testing process.
2. IT Network Monitoring and Defense Policy
   The Central IT Department must communicate the requirements and processes for IT Network monitoring and defense to the campus community annually to engage campus communities and individuals in the shared responsibility of secure monitoring and defense. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.

Implementation Group 2 and 3 Controls

Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.

1. The Central IT Department will create a process for IT Network monitoring and defense that includes:
   1. Centralized security event alerting across the University’s Assets for log correlation and analysis (IG2).
   2. Deployment of a host-based intrusion detection solution on the University’s Assets, where appropriate and/or supported (IG2).
   3. Deployment of an IT Network intrusion detection solution on the University’s Assets, where appropriate (IG2).
   4. Traffic filtering between the University’s IT Network segments, where appropriate (IG2).
   5. The ability to manage access control for the University’s Assets remotely connecting to the University’s Resources (IG2) and determine amount of access to the University’s Resources based on:
      1. Up-to-date anti-malware software installed.
      2. Configuration compliance with the University’s secure configuration process.
      3. Ensuring the operating System and applications are up to date.
   6. Collect IT Network traffic flow logs and/or IT Network traffic to review and alert upon from the University’s IT Network devices (IG2).
   7. Deployment of a host-based intrusion prevention solution on the University’s Assets, where appropriate and/or supported (IG3).
   8. Deployment of an IT Network intrusion prevention solution, where appropriate (IG3).
   9. Deployment of port-level access control. Port-level access control utilizes 802.1x, or similar IT Network access control protocols, such as certificates, and may incorporate User and/or device authentication (IG3).
   10. Application layer filtering (IG3).
   11. Tuning of security event alerting thresholds monthly at a minimum (IG3).
2. Penetration Testing Policy
   The Central IT Department must communicate the requirements and processes for penetration testing to their campus community annually to engage in the shared responsibility of penetration testing. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.

Implementation Group 2 and 3 Controls

Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.

1. The campus or institute CISO/DISL will establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the University (IG2). Penetration testing program characteristics include:
   1. Scope, such an IT Network, web application, Application Programming Interface (API), hosted IT services, and physical premise controls.
   2. Frequency.
   3. Limitations, such as acceptable hours, and excluded attack types.
   4. Point of contact information.
   5. Remediation, such as how findings will be routed internally.
   6. Retrospective requirements.
2. The campus or institute CISO/DISL will create a process to perform periodic external penetration tests based on program requirements, no less than annually (IG2).
   1. External penetration testing must include University and environmental reconnaissance to detect exploitable information.
   2. Penetration testing requires specialized skills and experience and must be conducted through a qualified party.
   3. The testing may be clear box or opaque box with a clear box testing being a method that gives the tester access to the code of a product, while an opaque box testing method focuses on the external behavior of a product without considering its internal workings.
3. The Central IT Department will create a process(es) to:
   1. Remediate penetration test findings based on the University’s policy for remediation scope and prioritization (IG2).
   2. Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing (IG3).
   3. Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box (IG3).
4. Exceptions
   The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.

SECTION 2. Reason for the Policy

This policy establishes the requirements for Information Technology Network monitoring and defense and penetration testing as described in CIS Control 13 (Network Monitoring and Defense) and CIS Control 18 (Penetration Testing) for the University of Tennessee in support of System-wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System-wide Policy: IT0001.

SECTION 3. Scope and Application

This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).

SECTION 4. Procedures

Each campus/institute will adopt procedures related to this policy.

SECTION 5. Definitions

See IT0001 – General Statement on Information Technology Policy for definitions of terms.

SECTION 6. Penalties/Disciplinary Action for Non-Compliance

Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.

The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.

SECTION 7. Responsible Official & Additional Contacts

Subject Matter	Office Name	Telephone Number	Email/Web Address
Policy Clarification and Interpretation	System Chief Information Officer and System Chief Information Security Officer	(865) 974-4810 or (865) 974-0637	cio@tennessee.edu or iso@tennessee.edu
Policy Training	System Chief Information Security Officer	(865) 974-0637	iso@tennessee.edu

[Text Wrapping

Break]

SECTION 8. Policy History

Revision 1:

SECTION 9. Related Policies/Guidance Documents

1. University Policies
   1. IT0001 – General Statement on Information Technology Policy
   2. IT0002 – Acceptable Use of Information Technology Resources
   3. IT0003 – Information Technology Security Program Strategy
   4. IT0004 – Information Technology Risk Management
   5. IT0005 – Data Categorization
   6. IT0014 – Security Awareness Training Management
   7. IT0017 – Information Technology Incident Response Management
   8. IT0102 – Information Technology Asset Management
   9. IT0311 – Information Technology Data Access, Management, and Recovery
   10. IT0506 – Information Technology Account and Credential Management
   11. IT1516 – Information Technology Service Provider Management Application Software Security Management
   12. IT4912 – Information Technology Secure Configuration Management
   13. IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
2. Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/