2017 SECURITY PLAN CREATION GUIDE UTC IT0121-G UTC Information Technology Michael Dinkins, CISO 4/28/2017
CONTENTS 1. SCOPE... 2 2. PRINCIPLES... 2 3. REVISIONS... 2 4. OBJECTIVE... 2 5. POLICY... 2 6. APPLICABILITY... 3 7. RESPONSIBILITIES... 3 8. IT SECURITY OFFICE... 5 1
1. Scope This document is for use by the Associate Vice-Chancellor and Chief Information Officer (AV/CIO), the Chief Information Security Officer (CISO), and the IT Security Team at the University of Tennessee at Chattanooga (UTC). 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC.. 3. Revisions Date Action Name 4/28/2017 Version 1.0 Michael Dinkins 4. Objective This document establishes guidelines for developing and maintaining an information security program at The University of Tennessee at Chattanooga. 5. Policy This The University IT Security Community of Practice created information technology (IT) security policies that provide guidance to the campuses on the implementation of an IT security program based on the National Institute of Standards and Technology (NIST) Risk Management Framework. This guide is a supplement to published University of Tennessee Policy IT0121, Information Security Plan Creation, Implementation, and Maintenance. Click here for more information. IT0121 policy requires UTC to protect its network infrastructure to accomplish its mission of teaching, learning, research, and public service. 2
6. Applicability This Guide provides sufficient information to develop and disseminate an IT Security Plan based on the National Institute of Standards and Technology (NIST) Risk Management Framework. It applies to all campus systems, networks, devices, and services connected to the University of Tennessee at Chattanooga (UTC) network. A formal documented processes and/or procedures must be applied to the following mission-essential (a.k.a. critical) systems/subsystems: MISSION-ESSENTIAL SYSTEMS Banner Banner Banner System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Enterprise Applications & Data Center Enterprise Applications & Data Center Enterprise Applications & Data Center Director, Banner Systems Support Services Banner Systems DBA Executive Director, Enterprise Applications & Data Center Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments Department Head Department Head 7. Responsibilities ROLE RESPONSIBILITY Associate Vice- Chancellor & CIO (AV/CIO) As the Position of Authority (POA), the AVC/CIO has overall responsibility of the IT Security Plan development and dissemination to appropriate management and stakeholders in accordance with University policy. The AVC/CIO ensures: 3 1) An IT Security Program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy. 2) The IT Security Program program is reviewed and updated annually.
3) Critical business systems and mission-essential functions are identified for inclusion in the IT Security Program. Chief Information Security Officer The CISO is responsible for developing, maintaining, implementing, and disseminating the UTC IT Security Program Plan (Security Plan) that addresses, but is not limited to, the following elements: 1) IT Security Program Overview. The IT Security Plan provides a description of the security program management and annual review. 2) Roles and Responsibilities. The Plan must include identification and assignment of roles and responsibilities, management commitment, coordination among organizational entities, and compliance; including who is responsible for accepting risk. 3) Information and System Categorization: A clear explanation of the information and system categorization process. 4) Controls Description. A General Description of the Controls in place or planned for meeting the security requirements. 5) Information Security Metrics. The Plan shall include a description of how information security measures performance. 6) Plan of Action and Milestones. The IT Security Plan shall include strategies and steps for compliance with UT Policy IT0121. A documented implementation strategy must accompany each campus information security plan including. 7) Risk & Vulnerability Management Summary. Each revision of the IT Security Program Plan shall include an annual status report of Risk & Vulnerability Management. 8) Enterprise Architecture Description. The Plan shall include a sufficiently detailed description of the campus enterprise network architecture and interconnecting systems. The plan shall also include references to related Interconnection Security Agreements (ISAs). 9) Critical Infrastructure. The Plan shall identify key businesscritical resources and address protection strategies based on the prioritization of critical assets. 10) Hardware and Software Inventory Control. A description of the hardware and software inventory processes for business critical systems shall be included in the IT Security Plan. 11) Exception Handling. Requests for exceptions to system IT Security Policies must be submitted in writing to the campus Chief Information Officer or their designee, who will approve or deny the request for an exception. All exceptions must be kept on file with the Chief Information Officer or their designee. 4
12) Threat Awareness and Training. The Plan must include a description of UTC s Security Awareness and Training program. 13) IT Security Plan annual reviews and updates. Subsystem Owner / Administrator (or assignee) System Owners are responsible for developing procedures and/or processes for their respective system(s) to ensure the IT Security Plan is implemented in accordance with University policy. 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423)425-4507 michael-dinkins@utc.edu Larry Prince IT Security Analyst (423)425-2904 larry-prince@utc.edu 5