Skip to content

UTSI Information Technology Policies and Procedures

UTSI Acceptable Use Policy

IT0110-SI – Acceptable Use of Information Technology Resources

This policy governs the use of the university’s information technology resources in an atmosphere that encourages the free exchange of ideas and an unwavering commitment to academic freedom.

Information and Computer System Classification Plan

IT0115-SI – Information and Computer System Classification Plan

To establish a formal, documented plan for classifying business-critical information and computer systems.

Secure Network Infrastructure Program

IT0120-SI – Secure Network Infrastructure Program

To establish a formal, documented program for the creation and maintenance of a secure network infrastructure.

Information Security Program

IT0121-SI – Information Security Program

To establish a formal, documented program that describes the development and maintenance of security plans.

Security Incident Reporting and Response

IT0122-SI –Security Incident Reporting and Response

To develop a program for computer Security Incident Reporting and Response at the University of
Tennessee Space Institute (UTSI) that aligns with System-wide policy IT0122.

Security Awareness, Training, and Education Program

IT0123-SI – Security Awareness, Training, and Education Program

To establish a formal, documented Security Awareness, Training, and Education Program for University
information systems users, and facilitate appropriate training controls.

Risk Assessment Plan

IT0124-SI – Risk Assessment Plan

To establish a formal, documented plan to ensure the implementation of appropriate and effective Risk Assessment (RA) controls for information systems that host or contain sensitive University data.

Configuration Management Plan

IT0125-SI – Configuration Management Plan

To establish a formal, documented plan that describes the implementation of appropriate and effective Configuration Management (CM) controls for business-critical systems (CM-9). This plan establishes guidelines for baseline configurations and defines the change control process for managing configuration changes.

Audit and Accountability Plan

IT0127-SI – Audit and Accountability Plan

To establish a formal, documented plan for managing risk and implementing best practices with regard to the creation and retention of audit evidence.

Contingency Planning

IT0128-SI –Contingency Planning

Per System-Wide policy IT0128, the University of Tennessee Space Institute (UTSI) is tasked with establishing a Contingency Planning (CP) policy for managing the risk of information asset failures and service disruptions. The CP program is intended to address security best practices with regard to business continuity and disaster recovery.

Physical and Environmental Protection

IT0129-SI – Physical and Environmental Protection

To develop a procedure for Physical and Environmental Protection at the University of Tennessee Space
Institute (UTSI) that aligns with System-wide policy IT0129 and the National Institute of Standards and
Technology (NIST) 800 publication series.

Personnel Security

IT0130-SI – Personnel Security

To establish a procedure for developing and maintaining a Personnel Security Program at the University of Tennessee Space Institute (UTSI) to ensure individuals granted access to systems and data are vetted in order to maintain information security objectives.

Security Assessment and Authorization Plan

IT0131-SI – Security Assessment and Authorization Plan

To establish a formal, documented program to manage the confidentiality, integrity, and availability of business-critical information systems at UTSI by assessing security controls.

Identification and Authentication Plan

IT0132-SI – Identification and Authentication Plan

To establish formal, documented identification and authentication plan for managing risk from user access and authentication into business-critical information systems and to provide the minimum requirements to control that risk.

Security Planning Program

IT0133-SI – Security Planning Program

To establish a formal, documented program to ensure that Security Plans providing an overview of security requirements and the controls to address those requirements are in place for critical information systems.

System and Communication Protection Program

IT0134-SI – System and Communication Protection Plan

To establish a formal, documented system and communication protection program to ensure compliance with requirements established by the University.

System and Information Integrity Program

IT0135-SI – System and Information Integrity Program

To establish a program for developing and maintaining a Systems & Information Integrity program to ensure compliance with minimally acceptable system configuration requirements.

UTSI Password Standard

IT1002-SI – Password Standard

This standard contains requirements and recommendations for all system passwords, including servers, workstations, and network devices, for UTSI. Each user and/or administrator is required to implement the system password definitions listed in this document.

Software Licensing and Copyright Law

S0125 – Software Licensing and Copyright Law

Prohibits unauthorized reproduction of copyrighted computer software. Software licenses required.

Higher Education Opportunity Act- Peer to Peer File Sharing

S0336 – Higher Education Opportunity Act- Peer to Peer File Sharing

Requires an annual disclosure to students that (1) states that unauthorized distribution of copyrighted material, such as through peer-to-peer networks, may subject students to civil and criminal penalties, (2) describes the penalties for such violations, and (3) includes the institution’s policies on peer-to-peer file sharing. Institutions must also develop a plan to combat unauthorized distribution of copyrighted material.

TN State Law of Personal Information Breach

S0370 – TN State Law of Personal Information Breach

Any information holder shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay. If over 1,000, must disclose to credit bureaus.

TN State Unsolicited Bulk Electronic Mail

S0371 – TN State Unsolicited Bulk Electronic Mail

It is an offense for a person without authority to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers.

TN State Credit Security Act of 2007

S0372 – TN State Credit Security Act of 2007

Must make a reasonable effort to protect social security numbers from disclosure to the public. Social security numbers shall not: 1) be posted or displayed in public; 2) be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted; 3) be required to log onto or access an Internet website, unless used in combination with a password or other authentication device; or 4) Be printed on any materials mailed to a consumer, unless such disclosure is required by law, or the document is a form or application.

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

S0373 – Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance: 1) unsubscribe compliance; 2) content compliance; and 3) sending behavior compliance.

Electronic Communications Privacy Act of 1986

S0420 – Electronic Communications Privacy Act of 1986

This law protects communications from government surveillance. However, employers who own the computer system used by their employees have the right to monitor employees’ e-mail. Employee consent is a defense to liability under the ECPA intercept provision. Employees should either consent to or be put on notice that it is university policy that any information, stored, processed, or transmitted on university IT resources (including telephone) may be intercepted.

The Digital Millennium Copyright Act of 1998 (DMCA)

S0428 – The Digital Millennium Copyright Act of 1998 (DMCA)

The Digital Millennium Copyright Act (DMCA) addresses copyright law in the digitally networked environment. The Act brings U.S. law into line with the World Intellectual Property Organization (WIPO) and limits the liability for monetary damages with respect to copyright infringement for an Online Service Provider (OSP). In order to be eligible for the exemption from liability, the OSP must do the following:

• adopt and implement a policy that provides for termination of computer privileges of users who are repeat infringes;

• accommodate and not interfere with standard technical measures used by copyright owners to identify and protect copyrighted works; and

• designate an agent for notification of claimed infringement by providing contact information to the Copyright Office and through the OSP’s publicly accessible Web site.