Knoxville Campus Policy: IT00004-K Information Security
Effective Date: 06/14/2018
Office of Information Technology
University Information Security Plans
UTK Baseline Controls
Minimum list of security controls that are required here on the UTK Campus.
UTK Security Program Plan
This plan details the information security risks UTK faces, and the resulting controls it is responsible for.
System Security Plan Template
Provides the framework for the creation of departmental security plans. (Updated 04/05/2018)
Security Program Management Methodology
PowerPoint presentation explaining Information Security Methodology. (Updated 04/05/2018)
UTK Incident Response Plan
Provides guidance regarding notification and responses to security-related events. In addition to incidents such as cyber-intrusions or unauthorized disclosure of sensitive information, this plan also specifies the requirements for dealing with suspected information technology abuses.
Media Protection Standard
This document outlines the Media Protection standards that constitute the campus standard. Each campus unit is bound to this standard. (Updated 04/19/2018)
Information Technology Policies
Information Technology Policies is a direct link to the complete list of Information Technology Policies listed below. You can click the link above to access the list of policies, or click the links below to access an individual policy.
IT0110 – Acceptable Use of Information Technology Resources
This policy governs the use of the university’s information technology resources in an atmosphere that encourages free exchange of ideas and an unwavering commitment to academic freedom.
IT0115 – Information and Computer System Classification
IT0120 – Secure Network Infrastructure
This policy provides policies for information, and information system categorization, and establishes Federal Information Processing Standard 199 (FIPS 199) as the University of Tennessee’s Information Categorization model.
This policy provides the definitions for creation and maintenance of a secure systems infrastructure, including both wired and wireless technologies.
IT0121 – Information Security Plan Creation and Data Breach Notification Procedures
This policy provides policies for establishing information security plans and data breach notification procedures.
IT0122 – Security incident, Reporting, and Response
This document establishes policy for incident identification, reporting, and response.
IT0123 – Security Awareness, Training, and Education
This document establishes policy for maintaining the security skills of the organizational users, IT personnel, and security staff.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health data.
The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.