Information Security Requirements
UTHSC is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.
These standards are intended to reflect the minimum level of care necessary for UTHSC's sensitive data. They do not relieve UTHSC or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract.
UTHSC expects all partners, consultants, and vendors to abide by UTHSC's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by UTHSC's information security policies.
UTHSC's IT0005-HSC-A-Data & System Categorization guides users in determining the security level needed for their data. If further assistance is needed, a classification assessment can be launched to the user. Create a TechConnect ticket to request this assessment.
| Name | Recurring? | What to Do |
Level 1 Low |
Level 2 Moderate |
Level 3 High |
| Asset Management and Lifecycle |
Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data. Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. |
||||
| Asset Removal, Transfer, and Disposal | Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer. | ||||
|
Baseline Configurations ⁺ ⁺Control is required for UTHSC-managed Windows and iOS endpoints and recommended for Linux or other unmanaged endpoints at Level 1 and required for all endpoints at Level 2. |
Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.). |
||||
| Boundary Protection |
Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset. |
||||
| Enable system logging |
Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards. |
||||
| Encryption at Rest | Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard. | ||||
| Identity Management and Access Controls | Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices. | ||||
| Incident Reporting and Response | Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting. | ||||
| Inventory | Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards. | ||||
| Malware Protection | Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards. | ||||
| Patch Management | Ensure patches are applied according to the UTHSC Patch Management Standard. | ||||
| Physical Security | Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data. | ||||
| Security Categorization, Impact Assessment, and Ownership | Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory. | ||||
| System Use Notification (Logon Banner) | Ensure that the asset has a login banner notifying them of acceptable use. | ||||
| Vulnerability Management | Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard. | ||||
| Access Control Reviews | Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian. | ||||
|
Backups * *Control is recommended at Level 2 and required at Level 3 |
Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested. |
||||
| Configuration Change Control | Ensure that changes are implemented in a measured and secure manner. | ||||
| Environmental Protection |
Ensure that environmental controls are in place to protect UTHSC assets. |
||||
| Incident Detection and Response |
Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs. |
||||
| Least Functionality | Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs. | ||||
| Least Privilege | Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions. | ||||
| Removable and Physical Media Protection | Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards. | ||||
| Threat Monitoring |
Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk. Additional Information or Explanation Links to Documents Documents under development
|
||||
| Transmission Integrity & Confidentiality | Ensure that asset communications across networks are appropriately secured and protected. | ||||
| Business Continuity Planning |
Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure. |
||||
| Regulatory/Statutory Requirements | Ensure that all applicable regulatory or statutory security requirements are in place. |
| Name | Recurring? | What to Do |
Level 1 Low |
Level 2 Moderate |
Level 3 High |
| Asset Management and Lifecycle |
Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data. Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. |
||||
| Asset Removal, Transfer, and Disposal | Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer. | ||||
|
Baseline Configurations ⁺ ⁺Control is required for UTHSC-managed Windows and Linux servers and recommended for unmanaged servers at Level 1 and required for all servers at Level 2. |
Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.). |
||||
| Boundary Protection |
Ensure that boundary protections (network firewall, host-based firewall, etc.) are in place to appropriately protect the asset. |
||||
| Enable system logging |
Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards. |
||||
| Encryption at Rest | Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard. | ||||
| Identity Management and Access Controls | Ensure that appropriate identification and authentication controls are in place per
UTHSC Access Control and Authentication Standards and Practices. Links to Documents IT0506 – Information Technology Account and Credential Management IT0506-HSC-A.03-Privileged Account Management AC-001.06-Third-Party Access to Account and Data IT0311-HSC-A.02-Third-Party Access to Account and Data IT0506-HSC-A.01-Password Management and Complexity IT0506-HSC-A.02-NetID Account Management |
||||
| Incident Reporting and Response | Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting. | ||||
| Inventory | Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards. | ||||
| Malware Protection | Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards. | ||||
| Multi-factor Authentication for anything with External Access | Ensure that multi-factor authentication is enabled for all externally facing systems. | ||||
| Patch Management | Ensure patches are applied according to the UTHSC Patch Management Standard. | ||||
| Physical Security | Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data. | ||||
| Security Categorization, Impact Assessment, and Ownership | Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory. | ||||
| System Use Notification (Logon Banner) | Ensure that the asset has a login banner notifying them of acceptable use. | ||||
| Vulnerability Management | Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard. | ||||
| Access Control Reviews | Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian. | ||||
|
Backups * *Control is recommended at Level 2 and required at Level 3 |
Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested. |
||||
| Centralized Event Logging |
Ensure that the asset is configured to forward log data to ITS centralized logging. |
||||
| Configuration Change Control | Ensure that changes are implemented in a measured and secure manner. | ||||
| Environmental Protection |
Ensure that environmental controls are in place to protect UTHSC assets. |
||||
| Incident Detection and Response |
Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs. |
||||
| Least Functionality | Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs. | ||||
| Least Privilege | Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions. | ||||
| Multi-factor Authentication | Ensure that multi-factor authentication is enabled for access to UTHSC data. | ||||
| Removable and Physical Media Protection | Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards. | ||||
|
Role Based Training |
Ensure that users with elevated permissions or access to highly sensitive/critical data or systems have training commensurate with their access and responsibilities. | ||||
|
Secure Software Development |
Ensure that secure software development practices were used to develop associated software and services. |
||||
|
System/Network Diagram * *Control is recommended at Level 2 and required at Level 3 |
Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows. |
||||
| Threat Monitoring |
Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk. Additional Information or Explanation Links to Documents Documents under development
|
||||
| Transmission Integrity & Confidentiality | Ensure that asset communications across networks are appropriately secured and protected. | ||||
| Vendor Contracts |
Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards. |
||||
| Audit Review, Analysis, and Reporting | Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders. | ||||
| Business Continuity Planning |
Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure. |
||||
| Centralized Enterprise Authentication | Ensure that centralized enterprise authentication is leveraged to enforce authentication
and authorization controls. Examples of this include CAS, SAML, Active Directory,
LDAP, or other services that leverage a UT NetID. |
||||
| Continuous Monitoring |
Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents. |
||||
| Insider Threat Monitoring | Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring. | ||||
| Plan of Action and Milestones (POAM) | Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed. | ||||
| Regulatory/Statutory Requirements | Ensure that all applicable regulatory or statutory security requirements are in place. | ||||
| Secure Architecture Design | Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications. | ||||
| System Interconnections |
Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted. |
||||
| System Security Plan/Assessments | Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system and includes diagrams, an assessment of the necessary security controls, and an assessment of any identified risks. | ||||
| Vendor Due Diligence Review |
Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information. |
| Name | Recurring? | What to Do |
Level 1 Low |
Level 2 Moderate |
Level 3 High |
| Asset Management and Lifecycle |
Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data. Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. |
||||
| Asset Removal, Transfer, and Disposal | Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer. | ||||
|
Baseline Configurations ⁺ ⁺Control is recommended at Level 1 and required at Level 2 |
Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.). |
||||
| Boundary Protection |
Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset. |
||||
| Enable system logging |
Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards. |
||||
| Identity Management and Access Controls | Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices. | ||||
| Incident Reporting and Response | Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting. | ||||
| Inventory | Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards. | ||||
| Patch Management | Ensure patches are applied according to the UTHSC Patch Management Standard. | ||||
| Physical Security | Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data. | ||||
| Security Categorization, Impact Assessment, and Ownership | Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory. | ||||
| System Use Notification (Logon Banner) | Ensure that the asset has a login banner notifying them of acceptable use. | ||||
| Vulnerability Management | Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard. | ||||
| Access Control Reviews | Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian. | ||||
|
Backups * *Control is recommended at Level 2 and required at Level 3 |
Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested. |
||||
| Baseline Configurations | Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.). | ||||
| Centralized Event Logging |
Ensure that the asset is configured to forward log data to ITS centralized logging. |
||||
| Configuration Change Control | Ensure that changes are implemented in a measured and secure manner. | ||||
| Encryption at Rest |
Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard. |
||||
| Environmental Protection |
Ensure that environmental controls are in place to protect UTHSC assets. |
||||
| Least Functionality | Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs. | ||||
| Least Privilege | Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions. | ||||
| Multi-factor Authentication | Ensure that multi-factor authentication is enabled for access to UTHSC data. | ||||
| Removable and Physical Media Protection | Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards. | ||||
|
Secure Software Development |
Ensure that secure software development practices were used to develop associated software and services. |
||||
|
System/Network Diagram * *Control is recommended at Level 2 and required at Level 3 |
Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows. |
||||
| Threat Monitoring |
Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk. Additional Information or Explanation Links to Documents Documents under development
|
||||
| Transmission Integrity & Confidentiality | Ensure that asset communications across networks are appropriately secured and protected. | ||||
| Vendor Contracts |
Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards. |
||||
| Audit Review, Analysis, and Reporting | Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders. | ||||
| Business Continuity Planning |
Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure. |
||||
| Continuous Monitoring |
Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents. |
||||
| Plan of Action and Milestones (POAM) | Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed. | ||||
| Regulatory/Statutory Requirements | Ensure that all applicable regulatory or statutory security requirements are in place. | ||||
| Secure Architecture Design | Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications. | ||||
| System Interconnections |
Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted. |
||||
| System Security Plan/Assessments | Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system, diagrams, an assessment of the necessary security controls, and an assessment of any identified risks. | ||||
| Vendor Due Diligence Review |
Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information. |
| Name | Recurring? | What to Do |
Level 1 Low |
Level 2 Moderate |
Level 3 High |
| Asset Management and Lifecycle |
Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data. Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. |
||||
| Asset Removal, Transfer, and Disposal | Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer. | ||||
| Boundary Protection |
Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset. |
||||
| Enable system logging |
Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards. |
||||
| Encryption at Rest | Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard. | ||||
| Identity Management and Access Controls | Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices. | ||||
| Incident Reporting and Response | Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting. | ||||
| Inventory | Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards. | ||||
| Malware Protection | Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards. | ||||
| Multi-factor Authentication for anything with External Access | Ensure that multi-factor authentication is enabled for all externally facing systems. | ||||
| Patch Management | Ensure patches are applied according to the UTHSC Patch Management Standard. | ||||
| Physical Security | Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data. | ||||
| Security Awareness Training | Ensure that users have received new user and annual security awareness training. | ||||
| Security Categorization, Impact Assessment, and Ownership | Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory. | ||||
| System Use Notification (Logon Banner) | Ensure that the asset has a login banner notifying them of acceptable use. | ||||
| Vulnerability Management | Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard. | ||||
| Access Control Reviews | Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian. | ||||
|
Backups * *Control is recommended at Level 2 and required at Level 3 |
Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested. |
||||
| Baseline Configurations | Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.). | ||||
| Centralized Event Logging |
Ensure that the asset is configured to forward log data to ITS centralized logging. |
||||
| Configuration Change Control | Ensure that changes are implemented in a measured and secure manner. | ||||
| Environmental Protection |
Ensure that environmental controls are in place to protect UTHSC assets. |
||||
| Incident Detection and Response |
Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs. |
||||
| Least Functionality | Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs. | ||||
| Least Privilege | Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions. | ||||
| Multi-factor Authentication | Ensure that multi-factor authentication is enabled for access to UTHSC data. | ||||
| Removable and Physical Media Protection | Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards. | ||||
| Role Based Training | Ensure that users with elevated permissions or access to highly sensitive/critical data or systems have training commensurate with their access and responsibilities. | ||||
| Secure Software Development |
Ensure that secure software development practices were used to develop associated software and services. |
||||
|
System Diagram * *Control is recommended at Level 2 and required at Level 3 |
Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows. |
||||
| Threat Monitoring |
Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk. Additional Information or Explanation Links to Documents Documents under development
|
||||
| Transmission Integrity & Confidentiality | Ensure that asset communications across networks are appropriately secured and protected. | ||||
| Vendor Contracts |
Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards. |
||||
| Audit Review, Analysis, and Reporting | Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders. | ||||
| Business Continuity Planning |
Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure. |
||||
| Centralized Enterprise Authentication | Ensure that centralized enterprise authentication is leveraged to enforce authentication
and authorization controls. Examples of this include CAS, SAML, Active Directory,
LDAP, or other services that leverage a UT NetID. |
||||
| Continuous Monitoring |
Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents. |
||||
| Insider Threat Monitoring | Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring. | ||||
| Penetration Testing | Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring. | ||||
| Plan of Action and Milestones (POAM) | Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed. | ||||
| Regulatory/Statutory Requirements | Ensure that all applicable regulatory or statutory security requirements are in place. | ||||
| Secure Architecture Design | Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications. | ||||
| System Interconnections |
Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted. |
||||
| System Security Plan/Assessments | Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system, diagrams, an assessment of the necessary security controls, and an assessment of any identified risks. | ||||
| Vendor Due Diligence Review |
Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information. |
| Name | Recurring? | What to Do |
Level 1 Low |
Level 2 Moderate |
Level 3 High |
| Asset Management and Lifecycle |
Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data. Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. |
||||
| Asset Removal, Transfer, and Disposal | Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer. | ||||
| Identity Management and Access Controls | Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices. | ||||
| Incident Reporting and Response | Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting. | ||||
| Inventory | Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards. | ||||
| Physical Security | Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data. | ||||
| Security Categorization, Impact Assessment, and Ownership | Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory. | ||||
| Environmental Protection |
Ensure that environmental controls are in place to protect UTHSC assets. |
||||
| Removable and Physical Media Protection | Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards. | ||||
| Business Continuity Planning |
Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure. |
||||
| Insider Threat Monitoring | Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring. | ||||
| Regulatory/Statutory Requirements | Ensure that all applicable regulatory or statutory security requirements are in place. | ||||
| Transmission Confidentiality - Fax Protections | Ensure that faxes with sensitive information are sent in a manner that protects UTHSC data. |