Objective:
To align University of Tennessee at Chattanooga (UTC) standards of practice with University of Tennessee System-wide policy for developing, maintaining and documenting a Security Assessment & Authorization program.
Scope:
This program applies but is not limited to employees, contractors, agents, and representatives accessing, using, or handling UTC information technology resources.
Principles:
This document is a UTC-specific Standard based on University System-wide policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources.
The Chief Information Officer (CIO) is the Position of Authority (POA) for Information Technology at UTC and responsible for IT security at the University of Tennessee Chattanooga.
Responsibilities:
- The CIO has overall responsibility of the Security Assessment & Authorization (SA) program at UTC and ensures:
- The program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy.
- The program is reviewed and updated annually.
- The Chief Information Security Officer (CISO) is responsible for overseeing the implementation of the Security Assessment & Authorization program and consulting system owners to ensure effective procedures are implemented.
- System owners/administrators are responsible for adhering to this Standard for their respective system(s).
Standard:
- All business systems supporting mission-essential functions are included in UTC’s Security Assessment & Authorization Protection program.
- The CISO will ensure:
- The implementation of a continuous monitoring program for infrastructure and critical systems.
- Development of a Plan of Action and Milestones (POAM) to correct system deficiencies, ensuring remedial actions are taken, and maintaining updates to POAM.
- System owners/administrators will ensure procedures address:
- Plan scope, schedule of assessments and reporting.
- Verification of system boundaries and interconnections.
- Criteria and metrics for system monitoring and reporting of system status.
References:
IT0131 – Security Assessment and Authorization