SECTION 1. Policy Statement
- Objective
This policy provides guidance and structure for the University to establish an IT Service Provider program that manages inventory, classifies each IT Service Provider, ensures that IT Service Provider contracts include security requirements, and securely decommissions IT Service Providers. This policy also provides guidance and structure for University to establish and maintain a secure application development process including a process to accept and address reports of software vulnerabilities. - Information Technology Service Provider Management Policy
The Central IT Department must communicate the requirements and processes for Information Technology (IT) Service Provider management to the campus community annually to engage campus communities and individuals in the shared responsibility of secure IT Service Provider management. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the control itself and the associated process.- The Central IT Department, in coordination with the Procurement and Contracts Offices, will create a process to complete and maintain an inventory of IT Service Provider that includes:
- Name of IT Service Provider.
- Signature authority for the contract.
- Business Unit or Units leveraging the platform.
- IT Service Provider classifications as defined by the Central IT Department that demonstrate the level of trust with each vendor in their use.
- Point of contact for IT Service Provider.
- Point of contact within the University managing the IT Service Provider relationship.
- Requirement that the IT Service Provider inventory be reviewed and updated annually, or when IT Service Provider changes occur.
- Data on the IT Service Provider platform and the respective Data Owners.
- The Central IT Department will create a process to classify each IT Service Provider according to attributes such as:
- Business function.
- Geographical location.
- Data sensitivity.
- Data volume.
- Availability requirements.
- Applicable regulations.
- Inherent risk or mitigated risk.
- Nature of the deployment of the service.
- The Central IT Department, in coordination with the Procurement and Contracts Offices, will create a process to complete and maintain an inventory of IT Service Provider that includes:
Implementation Group 2 and 3 Controls
Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.
- The Central IT Department will create a procedure to establish formal IT Service Provider management (IG2) that includes:
- Classification, inventory, assessment, monitoring, and decommissioning of IT Service Providers.
- Review and update the policy annually.
- The Central IT Department will create a process for classification considerations of IT Service Providers to include one or more characteristics, such as Data sensitivity, Data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. The process will also include update and review of classifications annually.
- The Central IT Department will create a process, in collaboration with the Procurement Office, to ensure IT Service Provider contracts and Data usage agreements include security requirements (IG2) that are appropriate for the categorization of the Data. Example requirements may include minimum Security program requirements, Security Incident and/or Data breach notification and response, Data encryption requirements, and Data disposal commitments.
- The process will ensure that these Security requirements are consistent with the University’s IT Service Provider management policy.
- The process will also include a review of IT Service Provider contracts annually or when renegotiated to ensure contracts are not missing security requirements.
- The Data Owner(s) and Data Custodian(s) must be included in the process.
- The Central IT Department will create a process to assess IT Service Providers consistent with the University’s IT Service Provider management policy (IG3). The assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. The process will also include reassessment of IT Service Providers annually, at a minimum, or with new and renewed contracts.
- The Central IT Department will create a process to monitor IT Service Providers consistent with the University’s IT Service Provider management policy (IG3) including periodic reassessment of IT Service Provider compliance, monitoring IT Service Provider release notes, and dark web monitoring.
- The Central IT Department will create a process to securely decommission IT Service Providers (IG3).
- Data on IT Service Providers (e.g., cloud services) must be disposed of by first requesting the appropriate methods to permanently delete Data stored in their Systems, and then performing those actions according to the received instructions.
- The Central IT Department must analyze if cloud IT Service Providers used by the University are effectively backing up University Data, and if that Data must be considered within the University Data Recovery Plan as defined in System-wide Policy: IT0311 – Information Technology Data Access, Management, and Recovery. This includes evaluation that the appropriate language is included in the cloud IT Service Provider contract. Data Owners must be consulted as a part of this process.
- Every cloud platform and/or cloud service used by the University must be appropriately configured in accordance with University standards (reference System-wide Policy: IT4912 – Information Technology Secure Configuration Management) and CIS benchmarks or allow for vendor supplied hardening guides if CIS doesn’t have a benchmark for a specific service and must meet security requirements for their individual purpose.
- The Central IT Department will create a process that ensures that all cloud-based services have a malware defense program (reference the System-wide Policy: IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense Policy for more information).
- All cloud-based IT Service Providers will provide documentation that they have a written incident response plan that is tested at least annually (reference the System-wide Policy IT0017 – Information Technology Incident Response Management for more information).
III. Application Software Security Management Policy
The Central IT Department must communicate the requirements and processes for application software security management to the campus community annually to engage campus communities and individuals in the shared responsibility of secure application software security management. In all cases within this policy where the Central IT Department is required to create a process to implement an IT security control, training and guidance must also be provided to the campus or institute community related to the cont rol itself and the associated process.
- For all application development, following the Open Worldwide Application Security Project (OWASP) standard unless a different secure software development standard is contractually required.
Implementation Group 2 and 3 Controls
Note that Implementation Group 2 (IG2) controls are not required to be implemented until January 1, 2027, and Implementation Group 3 (IG3) by January 1, 2029.
- The Central IT Department will create a process to establish and maintain a secure application development process for all applications developed for the University (IG2). Address such items as:
- Secure application design standards.
- Secure coding practices.
- Developer training.
- Vulnerability management.
- Security of third-party code.
- Application security testing procedures.
- Review and update documentation annually.
- The Central IT Department will create a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report (IG2). The process is to include such items as:
- A vulnerability handling policy that identifies reporting process
- Responsible party for handling vulnerability reports.
- A process for intake, assignment, remediation, and remediation testing.
- Use a vulnerability tracking System that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities.
- Review and update documentation annually.
- The Central IT Department will create a process to perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code and allows development teams to move beyond just fixing individual vulnerabilities as they arise (IG2).
- The Central IT Department will create a process to establish and manage an updated inventory of IT Service Provider components used in development, often referred to as a “bill of materials,” as well as components slated for future use (IG2).
- This inventory is to include any risks that each IT Service provider component could pose.
- Evaluate the list at least monthly to identify any changes or updates to these components and validate that the component is still supported.
- The Central IT Department will create a guideline for the campus community to use up-to-date and trusted third-party software components (IG2). The guideline will include:
- Choose established and proven frameworks and libraries that provide adequate security.
- Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.
- The Central IT Department will create a process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed (IG2). The process will include:
- Setting a minimum level of security acceptability for releasing code or applications.
- Review and update the System and process annually.
- The Central IT Department must develop guidelines to use standard, industry -recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components (IG2) and does not allow in-house developed software to weaken configuration hardening.
- The Central IT Department must develop guidelines to maintain separate environments for production and non-production environments of Systems (IG2).
- The Central IT Department will ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities (IG2).
- The Central IT Department must develop a process to conduct training at least annually.
- The Central IT Department must develop a process to design in a way to promote Security within the development team and build a culture of Security among the developers.
- The Central IT Department must develop guidelines to apply secure design principles in application architectures (IG2). Secure design principles include:
- The concept of least privilege and enforcing mediation to validate every operation that the User makes.
- Promoting the concept of “never trust User input.”
- Ensuring that explicit error checking is performed and documented for all input.
- Minimizing the application infrastructure attack surface.
- The Central IT Department must develop guidelines to leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging (IG2). Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
- The Central IT Department must develop guidelines to apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed (IG3).
- The Central IT Department will conduct application Penetration Testing (IG3).
- The Central IT Department will conduct Threat Modeling. Threat Modeling is the process of identifying and addressing application Security design flaws within a design before code is created (IG3).
IV. Exceptions
The University’s Chief Information Officer is authorized to grant exceptions to the University’s Information Technology Policies. Campus or institute CIOs/DTLs are authorized to grant exceptions to campus or institute processes and procedures.
SECTION 2. Reason for the Policy
This policy establishes the requirements for Information Technology (IT) Service Provider management and application software security management as described in CIS Control 15 (Service Provider Management) and CIS Control 16 (Application Software Security) for the University of Tennessee in support of System- wide Policy: IT0001 – General Statement on Information Technology Policy. All Users must familiarize themselves with System-wide Policy: IT0001.
SECTION 3. Scope and Application
This policy applies to all Users of IT Resources owned, operated, or provided by the University of Tennessee, including its campuses, institutes, and administration (University and/or campuses).
SECTION 4. Procedures
Each campus/institute will adopt procedures related to this policy.
SECTION 5. Definitions
See IT0001 – General Statement on Information Technology Policy for definitions of terms.
SECTION 6. Penalties/Disciplinary Action for Non-Compliance
Any violation of this policy may subject the User to discipline as a violation of one or more provisions of the general standard of conduct in the student handbook or to discipline under the Code of Conduct (HR0580 – Code of Conduct) in the Human Resources Policy and Procedures.
The University may temporarily or permanently remove access to its information technology Resources if an individual violates this policy.
SECTION 7. Responsible Official & Additional Contacts
Subject Matter |
Office Name |
Telephone Number |
Email/Web Address |
Policy Clarification and Interpretation |
System Chief Information Officer and System Chief Information Security Officer |
(865) 974-4810 or (865) 974-0637 | |
Policy Training |
System Chief Information Security Officer |
(865) 974-0637 |
[Text Wrapping
Break]
SECTION 8. Policy History
Revision 1:
SECTION 9. Related Policies/Guidance Documents
- University Policies
- IT0001 – General Statement on Information Technology Policy
- IT0002 – Acceptable Use of Information Technology Resources
- IT0003 – Information Technology Security Program Strategy
- IT0004 – Information Technology Risk Management
- IT0005 – Data Categorization
- IT0014 – Security Awareness Training Management
- IT0017 – Information Technology Incident Response Management
- IT0102 – Information Technology Asset Management
- IT0311 – Information Technology Data Access, Management, and Recovery
- IT0506 – Information Technology Account and Credential Management
- IT1318 – Information Technology Network Monitoring and Defense and Penetration Testing
- IT4912 – Information Technology Secure Configuration Management
- IT7810 – Information Technology Vulnerability Management, Audit Log Management, and Malware Defense
- Center for Internet Security Critical Security Controls Navigator https://www.cisecurity.org/controls/cis-controls-navigator/