IT4912-HSC-C System and Communication Protections

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

This standard establishes the system and communications protection for information systems supporting the University of Tennessee Health Science Center (UTHSC) Computing and Communication environment.

Scope

This Standard applies to the security of UTHSC IT Resources in the form of electronic communications, stored data, and electronic communications resources used to transmit, store, and process such data.

Definitions

UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.

Responsibilities

Information Technology Services (ITS) is responsible for implementing the security controls necessary to protect IT Resources.

Office of Cybersecurity is responsible for the assessment of security controls necessary to protect IT Resources and work with ITS in the implementation of those controls based on risk assessments.

UTHSC Workforce is responsible for adhering to this standard and the security controls set for in it.

Standard

UTHSC will protect the confidentiality, integrity, and availability of IT Resources including data residing within these IT Resources and the communications among these IT Resources and with systems external to the UTHSC.
User functionality (including user interface services) shall be separated from information system management functionality in its systems.
Unauthorized and unintended information transfer via shared system resources is prohibited.
UTHSC shall take preventive measures to protect against or limit the effects of denial-of-service attacks.
UTHSC shall implement boundary protection. This protection shall address the external boundary as well as key internal boundaries, which shall be identified in the system security plan.
1. Publicly accessible UTHSC IT Resources are to be located on separate sub-networks from internal networks.
2. There will be no public access to the UTHSC internal network.
3. Interfaces, interconnects, and their protection mechanisms to external networks shall be managed, monitored, and documented.
4. The number of external network connections shall be limited.
5. By default, the principle to deny traffic shall be implemented.
UTHSC shall terminate network connections at the end of the session or after a period of inactivity for remote sessions.
The integrity and confidentiality of UTHSC data and information with a level 2 categorization ranking determined in IT0005-HSC-A-Data & System Categorization shall be protected with encryption during transmission that meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation.
UTHSC shall provide Domain Name System (DNS) services that:
1. Use encryption of all DNS services, when supported.
2. Process name/address resolution requests from internal clients only with internal DNS servers.
3. Process name/address resolution information requests from external clients only with external DNS servers.
4. Provide fault-tolerant name/address resolution service for all information systems.
5. Provide mechanisms to protect the authenticity of communications sessions.
Failure to comply with these standards should follow IT0003-HSC-A.03-Information Security Violations recommendations.