SECURITY PLAN CREATION GUIDE

Similar documents
SECURITY ASSESSEMENT & AUTHORIZATION GUIDE

CONTINGENCY PLANNING GUIDE

SECURE NETWORK INFRASTRUCTURE GUIDE

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

SYSTEMS ASSET MANAGEMENT POLICY

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Information Security Incident Response and Reporting

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

INFORMATION ASSURANCE DIRECTORATE

Security Awareness, Training, And Education Plan

01.0 Policy Responsibilities and Oversight

Threat and Vulnerability Assessment Tool

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

INFORMATION ASSURANCE DIRECTORATE

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

Policies and Procedures Date: February 28, 2012

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Data Governance Framework

Physical Security Reliability Standard Implementation

Fiscal Year 2013 Federal Information Security Management Act Report

IT Accessibility

Exhibit A1-1. Risk Management Framework

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Certified Information Security Manager (CISM) Course Overview

Digital Service Management (DSM)

DIGITAL COMMUNICATIONS GOVERNANCE

Information Technology Security Plan (ITSP)

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Agency Guide for FedRAMP Authorizations

Virginia State University Policies Manual. Title: Change/Configuration Management Policy: 6810 A. Purpose

Standard CIP Cyber Security Electronic Security Perimeter(s)

Information Technology Branch Organization of Cyber Security Technical Standard

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Cyber Security & Homeland Security:

INFORMATION ASSURANCE DIRECTORATE

Standard Development Timeline

NIST Special Publication

Information Technology Procedure IT 3.4 IT Configuration Management

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

General Information Technology Controls Follow-up Review

MNsure Privacy Program Strategic Plan FY

Cybersecurity & Privacy Enhancements

KSU Policy Category: Information Technology Page 1 of 5

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Digital Service Management (DSM)

Developing a Model for Cyber Security Maturity Assessment

Standard CIP Cyber Security Electronic Security Perimeter(s)

Apex Information Security Policy

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Purpose This document defines the overall policy, principles, and requirements that govern the mybyu Portal.

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Critical Infrastructure Protection Version 5

UW-Madison Cybersecurity Risk Management Policy

A company built on security

Assured Compliance through Information Security Continuous Monitoring

Cyber Security Program

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Bring Your Own Device Policy

Information Security Governance and IT Governance

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

ITG. Information Security Management System Manual

THE CALIFORNIA STATE UNIVERSITY SYSTEM-WIDE INFORMATION SECURITY STANDARDS

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

ITG. Information Security Management System Manual

Cyber Security Standards Drafting Team Update

The Common Controls Framework BY ADOBE

Public Safety Canada. Audit of the Business Continuity Planning Program

BFB-IS-3: Electronic Information Security

Information Security Policy

Standard for Security of Information Technology Resources

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Critical Cyber Asset Identification Security Management Controls

Media Protection Program

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Development Authority of the North Country Governance Policies

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Streamlined FISMA Compliance For Hosted Information Systems

Framework for Improving Critical Infrastructure Cybersecurity

INFORMATION ASSURANCE DIRECTORATE

Architecture and Standards Development Lifecycle

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Service Description: CNS Federal High Touch Technical Support

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Transcription:

2017 SECURITY PLAN CREATION GUIDE UTC IT0121-G UTC Information Technology Michael Dinkins, CISO 4/28/2017

CONTENTS 1. SCOPE... 2 2. PRINCIPLES... 2 3. REVISIONS... 2 4. OBJECTIVE... 2 5. POLICY... 2 6. APPLICABILITY... 3 7. RESPONSIBILITIES... 3 8. IT SECURITY OFFICE... 5 1

1. Scope This document is for use by the Associate Vice-Chancellor and Chief Information Officer (AV/CIO), the Chief Information Security Officer (CISO), and the IT Security Team at the University of Tennessee at Chattanooga (UTC). 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC.. 3. Revisions Date Action Name 4/28/2017 Version 1.0 Michael Dinkins 4. Objective This document establishes guidelines for developing and maintaining an information security program at The University of Tennessee at Chattanooga. 5. Policy This The University IT Security Community of Practice created information technology (IT) security policies that provide guidance to the campuses on the implementation of an IT security program based on the National Institute of Standards and Technology (NIST) Risk Management Framework. This guide is a supplement to published University of Tennessee Policy IT0121, Information Security Plan Creation, Implementation, and Maintenance. Click here for more information. IT0121 policy requires UTC to protect its network infrastructure to accomplish its mission of teaching, learning, research, and public service. 2

6. Applicability This Guide provides sufficient information to develop and disseminate an IT Security Plan based on the National Institute of Standards and Technology (NIST) Risk Management Framework. It applies to all campus systems, networks, devices, and services connected to the University of Tennessee at Chattanooga (UTC) network. A formal documented processes and/or procedures must be applied to the following mission-essential (a.k.a. critical) systems/subsystems: MISSION-ESSENTIAL SYSTEMS Banner Banner Banner System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Enterprise Applications & Data Center Enterprise Applications & Data Center Enterprise Applications & Data Center Director, Banner Systems Support Services Banner Systems DBA Executive Director, Enterprise Applications & Data Center Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments Department Head Department Head 7. Responsibilities ROLE RESPONSIBILITY Associate Vice- Chancellor & CIO (AV/CIO) As the Position of Authority (POA), the AVC/CIO has overall responsibility of the IT Security Plan development and dissemination to appropriate management and stakeholders in accordance with University policy. The AVC/CIO ensures: 3 1) An IT Security Program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy. 2) The IT Security Program program is reviewed and updated annually.

3) Critical business systems and mission-essential functions are identified for inclusion in the IT Security Program. Chief Information Security Officer The CISO is responsible for developing, maintaining, implementing, and disseminating the UTC IT Security Program Plan (Security Plan) that addresses, but is not limited to, the following elements: 1) IT Security Program Overview. The IT Security Plan provides a description of the security program management and annual review. 2) Roles and Responsibilities. The Plan must include identification and assignment of roles and responsibilities, management commitment, coordination among organizational entities, and compliance; including who is responsible for accepting risk. 3) Information and System Categorization: A clear explanation of the information and system categorization process. 4) Controls Description. A General Description of the Controls in place or planned for meeting the security requirements. 5) Information Security Metrics. The Plan shall include a description of how information security measures performance. 6) Plan of Action and Milestones. The IT Security Plan shall include strategies and steps for compliance with UT Policy IT0121. A documented implementation strategy must accompany each campus information security plan including. 7) Risk & Vulnerability Management Summary. Each revision of the IT Security Program Plan shall include an annual status report of Risk & Vulnerability Management. 8) Enterprise Architecture Description. The Plan shall include a sufficiently detailed description of the campus enterprise network architecture and interconnecting systems. The plan shall also include references to related Interconnection Security Agreements (ISAs). 9) Critical Infrastructure. The Plan shall identify key businesscritical resources and address protection strategies based on the prioritization of critical assets. 10) Hardware and Software Inventory Control. A description of the hardware and software inventory processes for business critical systems shall be included in the IT Security Plan. 11) Exception Handling. Requests for exceptions to system IT Security Policies must be submitted in writing to the campus Chief Information Officer or their designee, who will approve or deny the request for an exception. All exceptions must be kept on file with the Chief Information Officer or their designee. 4

12) Threat Awareness and Training. The Plan must include a description of UTC s Security Awareness and Training program. 13) IT Security Plan annual reviews and updates. Subsystem Owner / Administrator (or assignee) System Owners are responsible for developing procedures and/or processes for their respective system(s) to ensure the IT Security Plan is implemented in accordance with University policy. 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423)425-4507 michael-dinkins@utc.edu Larry Prince IT Security Analyst (423)425-2904 larry-prince@utc.edu 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback