IT0003-HSC-A UTHSC Information Security Program

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

The University of Tennessee Health Science Center (UTHSC) creates, acquires, maintains, and distributes data, information, and information technology (IT) Resources in various forms. UTHSC has created an Information Security Program as UTHSC recognizes its obligation to effectively secure and safeguard this information in terms of confidentiality, integrity, and availability while allowing individuals to appropriately access and share information when needed.

The Information Security Program is also designed to meet compliance requirements for data types regulated by federal or state law. This includes but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

All data and information created, stored, processed, or transmitted while in the custody of UTHSC, the IT Resources that store, process, or transmit this data and information, as well as the individuals that have been granted access to this data and information, and Resources.

Responsibilities

The UTHSC Chief Information Security Officer (CISO) is responsible for information security at UTHSC Campus and the development, implementation, maintenance, and documentation of the UTHSC Information Security Program.

The CISO within the context of the UTHSC Information Security Program is responsible for the implementation of reasonable and appropriate security controls outlined in the Center for Internet Security (CIS) Critical Security Controls (CSC) Implementation Group 1 (IG1) at a minimum.

The CISO is responsible for the annual review of all components of the UTHSC Information Security Program annually and as necessary because of legal, environmental, or operational changes.

The CISO serves as a Position of Authority (POA) required by the University of Tennessee System Administration Policy IT0002-Acceptable Use of Information Technology Resources.

The UTHSC College, School, and Institute deans, directors, and department chairs are responsible for ensuring compliance with the UTHSC Information Security Program and associated Policies, Standards, and Practices within their areas of responsibility.

All members of the UTHSC Community shall adhere to the appropriate roles and responsibilities as defined in IT0003-HSC-A.01-Information Security Roles and Responsibilities.

Standard

UTHSC Information Security Program standards and practices are subordinate to the University of Tennessee policies that address the security of information.
UTHSC develops a UTHSC Information Security Program which puts in place reasonable and appropriate safeguards to secure and safeguard data and information the UTHSC creates, acquires, maintains, and distributes in various forms while allowing individuals to appropriately access and share information, as governed by applicable law.
Appropriate safeguards are determined by classification level and asset type. Reference 1 is a link to these safeguards.
Security controls and safeguards have been cross-mapped to applicable compliance requirements and are maintained by ITS.
A library of UTHSC security standards and practices has been published. Reference 2 is a link to an index of those standards and practices.
Violations of this policy may result in disciplinary action up to and including termination or expulsion per IT0003-HSC-A.03-Information Security Violations.

Policy History

Version #	Effective Date
1	03/17/2016
2	12/03/2020
3	02/12/2021
4	05/12/2022
5	06/29/2023
6	03/01/2025 – new naming convention

References

Information Security Requirements, Controls, and Safeguards (https://uthsc.edu/its/cybersecurity/requirements.php)
UTHSC Security Standards and Practices (https://uthsc.edu/its/cybersecurity/standards.php)
Center for Information Security (CIS) Critical Security Controls (CSC)
IT0002-Acceptable Use of Information Technology Resources
IT0003-Information Technology Security Program Strategy
IT0003-HSC-A.01-Information Security Roles and Responsibilities
IT0003-HSC-A.03-Information Security Violations

IT0003-HSC-A UTHSC Information Security Program

Version #

Effective Date

1

03/17/2016

2

12/03/2020

3

02/12/2021

4

05/12/2022

5

06/29/2023

6

03/01/2025 – new naming convention

IT0003-HSC-A UTHSC Information Security Program
Version: 6 // Effective: 03/17/2016
Downloadable PDF

Related Procedures:

IT0003-HSC-A.01 Information Security Roles and Responsibilities

IT0003-HSC-A.03 – Information Security Violations

IT0311-HSC-C Information Security during a Disaster

IT0102-HSC-C Personally Owned Device Security

General

Board of Trustees

Fiscal

Health & Safety / Emergency Management

Human Resources

Information Technology

Research