Main Navigation:

• Information Security Office »

• Security Awareness

• Training
• Are you being hacked?
• Top Ten Viruses
• How to protect your computer
• Request a security scan
• Login Banners
• Policies & Best Practices
• Positions of Authority
• Connect to the SSL VPN

• Identity Theft

• Unauthorized Access FAQ

• Sanitization

• Sanitization of Electronic Media

• Report...

• Abuse
• Security Incident

• Security Tools

• What is a security assessment?
• ITC Security Workshop

• Other

• How can we help you?
• Security-Related Links & Info
• Download Anti-Virus, SSH, & more
• Security Services Change Requests
• 
  Search the ISO Site
• 
  University of Tennessee System Home

Currently, all documents are in PDF format. Adobe Acrobat Reader is required to view them.

  Stay up to date on changes to Policies & Best Practices with the RSS Feed

General

Information Technology Security Strategy
Exception Process
Glossary of Terms
Positions of Authority for Each Campus or Institute

Matrices

Information Technology Security Responsibilities   Black & White  Color
Establishes and Maintains the Standards Responsibilities
Implementation Responsibilities
Oversight Responsibilities
All Matrices

Best Practices

• Availability Planning and Best Practices:
  Last Updated: September 25, 2008
  This document outlines the University of Tennessee System security best practices for protecting the availability of computer systems.
• Change Management:
  Last Updated: March 27, 2009
  The intent of this document is to serve as a best practice for implementing a change management program.
• Encryption of Stored Data on End User Devices:
  Last Updated: March 27, 2009
  This document outlines the University of Tennessee’s best practices for securing end-user devices with encryption technology.
• Incident Response Process:
  Last Updated: September 25, 2008
  This Best Practice provides specific information for designing a process for each campus or institute to handle information systems security incidents or suspected information systems security incidents.
• Media Sanitization:
  Last Updated: September 25, 2008
  This document describes guidelines for properly removing information, a process called sanitization, from University of Tennessee IT resources.
• Multifunction Devices (Draft):
  Last Updated: September 25, 2008
  This document outlines the University of Tennessee best practices for securing Multifunction Devices.
• Network Access and Termination:
  Last Updated: September 25, 2008
  This Best Practice outlines processes that can be used for allowing, and if necessary, terminating access to the University of Tennessee network.
• Passwords:
  Last Updated: September 25, 2008
  This document describes guidelines for selecting strong passwords and protecting them from unauthorized disclosure.
• Protecting Restricted Information:
  Last Updated: September 25, 2008
  This document outlines best practices that can be used to guard against the unauthorized disclosure or modification of restricted information.
• Secure Desktop and Laptop:
  Last Updated: September 25, 2008
  This document outlines the University of Tennessee best practices for securing desktop and laptop resources.
• Secure Mobile Device:
  Last Updated: March 27, 2009
  This document outlines the University of Tennessee best practices for securing laptop computers and other mobile computing devices.
• Secure Network Infrastructure:
  Last Updated: September 25, 2008
  This document will provide recommendations on the planning, design, placement, configuration and management of core network infrastructure devices.
• Secure Server:
  Last Updated: September 25, 2008
  This document outlines the University of Tennessee best practices for securing server resources.
• All Best Practices:
  Last Updated: April 06, 2009
  This is a ".zip" file containing ".pdf" versions of the above best practices.

Policies

University Policy Search

• Acceptable Use Of Information Technology Resources - Policy No.: IT0110 :
  Last Updated: March 11, 2009
  This document describes guidelines for using The University of Tennessee's computer and Information Technology Resources.
• Information Classification - Policy No.: IT0115 (Draft):
  Last Updated: August 21, 2008
  This policy defines a framework for categorizing information according to the perceived risk to the university and assigns the responsibility to identify and designate the classification of the information.
• Information Classification Form (Draft)
• Computer System Classification - Policy No.: IT0116 (Draft):
  Last Updated: August 21, 2008
  This document established the framework for categorizing computer systems according to the expected impact to university operations should the system experience an interruption of service.
• Secure Network Equipment and Wiring - Policy No.: IT0120 (Draft):
  Last Updated: August 21, 2008
  This document describes guidelines for creation and maintenance of a secure information systems infrastructure.
• All Policies:
  Last Updated: March 11, 2009
  This is a ".zip" file containing ".pdf" versions of the above policies.

State and Federal Laws and Regulations

Tennessee State Law for Personal Information Breach
Tennessee Computer Crimes Act
Health Insurance Portability and Accountability Act (HIPAA)
The Family Educational Rights and Privacy Act (FERPA)
The Gramm-Leach Bliley Act (GLBA)

Other Regulations

Payment Card Industry (PCI) Compliance