UTSI Acceptable Use Policy
IT0110-SI – Acceptable Use of Information Technology Resources
This policy governs the use of the university’s information technology resources in an atmosphere that encourages the free exchange of ideas and an unwavering commitment to academic freedom.
Information and Computer System Classification Plan
IT0115-SI – Information and Computer System Classification Plan
To establish a formal, documented plan for classifying business-critical information and computer systems.
Secure Network Infrastructure Program
IT0120-SI – Secure Network Infrastructure Program
To establish a formal, documented program for the creation and maintenance of a secure network infrastructure.
Information Security Program
IT0121-SI – Information Security Program
To establish a formal, documented program that describes the development and maintenance of security plans.
Security Incident Reporting and Response
IT0122-SI –Security Incident Reporting and Response
To develop a program for computer Security Incident Reporting and Response at the University of
Tennessee Space Institute (UTSI) that aligns with System-wide policy IT0122.
Security Awareness, Training, and Education Program
IT0123-SI – Security Awareness, Training, and Education Program
To establish a formal, documented Security Awareness, Training, and Education Program for University
information systems users, and facilitate appropriate training controls.
Risk Assessment Plan
IT0124-SI – Risk Assessment Plan
To establish a formal, documented plan to ensure the implementation of appropriate and effective Risk Assessment (RA) controls for information systems that host or contain sensitive University data.
Configuration Management Plan
IT0125-SI – Configuration Management Plan
To establish a formal, documented plan that describes the implementation of appropriate and effective Configuration Management (CM) controls for business-critical systems (CM-9). This plan establishes guidelines for baseline configurations and defines the change control process for managing configuration changes.
Audit and Accountability Plan
IT0127-SI – Audit and Accountability Plan
To establish a formal, documented plan for managing risk and implementing best practices with regard to the creation and retention of audit evidence.
Contingency Planning
IT0128-SI –Contingency Planning
Per System-Wide policy IT0128, the University of Tennessee Space Institute (UTSI) is tasked with establishing a Contingency Planning (CP) policy for managing the risk of information asset failures and service disruptions. The CP program is intended to address security best practices with regard to business continuity and disaster recovery.
Physical and Environmental Protection
IT0129-SI – Physical and Environmental Protection
To develop a procedure for Physical and Environmental Protection at the University of Tennessee Space
Institute (UTSI) that aligns with System-wide policy IT0129 and the National Institute of Standards and
Technology (NIST) 800 publication series.
Personnel Security
IT0130-SI – Personnel Security
To establish a procedure for developing and maintaining a Personnel Security Program at the University of Tennessee Space Institute (UTSI) to ensure individuals granted access to systems and data are vetted in order to maintain information security objectives.
Security Assessment and Authorization Plan
IT0131-SI – Security Assessment and Authorization Plan
To establish a formal, documented program to manage the confidentiality, integrity, and availability of business-critical information systems at UTSI by assessing security controls.
Identification and Authentication Plan
IT0132-SI – Identification and Authentication Plan
To establish formal, documented identification and authentication plan for managing risk from user access and authentication into business-critical information systems and to provide the minimum requirements to control that risk.
Security Planning Program
IT0133-SI – Security Planning Program
To establish a formal, documented program to ensure that Security Plans providing an overview of security requirements and the controls to address those requirements are in place for critical information systems.
System and Communication Protection Program
IT0134-SI – System and Communication Protection Plan
To establish a formal, documented system and communication protection program to ensure compliance with requirements established by the University.
System and Information Integrity Program
IT0135-SI – System and Information Integrity Program
To establish a program for developing and maintaining a Systems & Information Integrity program to ensure compliance with minimally acceptable system configuration requirements.
UTSI Password Standard
IT1002-SI – Password Standard
This standard contains requirements and recommendations for all system passwords, including servers, workstations, and network devices, for UTSI. Each user and/or administrator is required to implement the system password definitions listed in this document.
Software Licensing and Copyright Law
S0125 – Software Licensing and Copyright Law
Prohibits unauthorized reproduction of copyrighted computer software. Software licenses required.
Higher Education Opportunity Act- Peer to Peer File Sharing
S0336 – Higher Education Opportunity Act- Peer to Peer File Sharing
Requires an annual disclosure to students that (1) states that unauthorized distribution of copyrighted material, such as through peer-to-peer networks, may subject students to civil and criminal penalties, (2) describes the penalties for such violations, and (3) includes the institution’s policies on peer-to-peer file sharing. Institutions must also develop a plan to combat unauthorized distribution of copyrighted material.
TN State Law of Personal Information Breach
S0370 – TN State Law of Personal Information Breach
Any information holder shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay. If over 1,000, must disclose to credit bureaus.
TN State Unsolicited Bulk Electronic Mail
S0371 – TN State Unsolicited Bulk Electronic Mail
It is an offense for a person without authority to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers.
TN State Credit Security Act of 2007
S0372 – TN State Credit Security Act of 2007
Must make a reasonable effort to protect social security numbers from disclosure to the public. Social security numbers shall not: 1) be posted or displayed in public; 2) be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted; 3) be required to log onto or access an Internet website, unless used in combination with a password or other authentication device; or 4) Be printed on any materials mailed to a consumer, unless such disclosure is required by law, or the document is a form or application.
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
S0373 – Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance: 1) unsubscribe compliance; 2) content compliance; and 3) sending behavior compliance.
Electronic Communications Privacy Act of 1986
S0420 – Electronic Communications Privacy Act of 1986
This law protects communications from government surveillance. However, employers who own the computer system used by their employees have the right to monitor employees’ e-mail. Employee consent is a defense to liability under the ECPA intercept provision. Employees should either consent to or be put on notice that it is university policy that any information, stored, processed, or transmitted on university IT resources (including telephone) may be intercepted.
The Digital Millennium Copyright Act of 1998 (DMCA)
S0428 – The Digital Millennium Copyright Act of 1998 (DMCA)
The Digital Millennium Copyright Act (DMCA) addresses copyright law in the digitally networked environment. The Act brings U.S. law into line with the World Intellectual Property Organization (WIPO) and limits the liability for monetary damages with respect to copyright infringement for an Online Service Provider (OSP). In order to be eligible for the exemption from liability, the OSP must do the following:
• adopt and implement a policy that provides for termination of computer privileges of users who are repeat infringes;
• accommodate and not interfere with standard technical measures used by copyright owners to identify and protect copyrighted works; and
• designate an agent for notification of claimed infringement by providing contact information to the Copyright Office and through the OSP’s publicly accessible Web site.