Skip to content

Other ways to search: Events Calendar | UTHSC News

Information Security Requirements

UTHSC is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

These standards are intended to reflect the minimum level of care necessary for UTHSC's sensitive data. They do not relieve UTHSC or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract.

UTHSC expects all partners, consultants, and vendors to abide by UTHSC's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by UTHSC's information security policies.

UTHSC's GP-002-Data and System Classification guides users in determining the security level needed for their data. If further assistance is needed, a classification assessment can be launched to the user. Create a TechConnect ticket to request this assessment. 

Select the device type on the left to display the security controls needed
Name Recurring? What to Do

Level 1

Low

Level 2

Moderate

Level 3

High

Asset Management and Lifecycle  

Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data.

Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. 

Additional Information or Explanation

Asset Removal, Transfer, and Disposal   Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer.

Baseline Configurations ⁺

⁺Control is required for UTHSC-managed Windows and iOS endpoints and recommended for Linux or other unmanaged endpoints at Level 1 and required for all endpoints at Level 2.

 

Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.).

Additional Information or Explanation

Boundary Protection  

Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset.

Additional Information or Explanation

Enable system logging  

Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards.

Additional Information or Explanation

Encryption at Rest   Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard.
Identity Management and Access Controls   Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices.
Incident Reporting and Response
Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting.
Inventory   Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards.
Malware Protection   Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards.
Patch Management
Ensure patches are applied according to the UTHSC Patch Management Standard.
Physical Security    Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data.
Security Categorization, Impact Assessment, and Ownership   Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory.
System Use Notification (Logon Banner)   Ensure that the asset has a login banner notifying them of acceptable use.
Vulnerability Management
Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard.
Access Control Reviews
Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian.  

Backups *

*Control is recommended at Level 2 and required at Level 3

Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested.

Additional Information or Explanation

 
Configuration Change Control 
Ensure that changes are implemented in a measured and secure manner.  
Environmental Protection  

Ensure that environmental controls are in place to protect UTHSC assets.

Additional Information or Explanation

 
Incident Detection and Response  

Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs.

Additional Information or Explanation

 
Least Functionality   Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs.  
Least Privilege   Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions.  
Removable and Physical Media Protection   Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards.  
Threat Monitoring

Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk.

Additional Information or Explanation

Links to Documents
Documents under development
 
Transmission Integrity & Confidentiality   Ensure that asset communications across networks are appropriately secured and protected.  
Business Continuity Planning

Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure.

Additional Information or Explanation

   
Regulatory/Statutory Requirements
Ensure that all applicable regulatory or statutory security requirements are in place.    
Name Recurring? What to Do

Level 1

Low

Level 2

Moderate

Level 3

High

Asset Management and Lifecycle

Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data.

Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. 

Additional Information or Explanation

Asset Removal, Transfer, and Disposal   Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer.

Baseline Configurations ⁺

⁺Control is required for UTHSC-managed Windows and Linux servers and recommended for unmanaged servers at Level 1 and required for all servers at Level 2.

 

Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.).

Additional Information or Explanation

Boundary Protection  

Ensure that boundary protections (network firewall, host-based firewall, etc.) are in place to appropriately protect the asset.

Additional Information or Explanation

Enable system logging  

Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards.

Additional Information or Explanation

Encryption at Rest   Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard.
Identity Management and Access Controls   Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices.
Incident Reporting and Response
Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting.
Inventory   Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards.
Malware Protection   Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards.
Multi-factor Authentication for anything with External Access   Ensure that multi-factor authentication is enabled for all externally facing systems.
Patch Management
Ensure patches are applied according to the UTHSC Patch Management Standard.
Physical Security    Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data.
Security Categorization, Impact Assessment, and Ownership   Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory.
System Use Notification (Logon Banner)   Ensure that the asset has a login banner notifying them of acceptable use.
Vulnerability Management
Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard.
Access Control Reviews
Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian.  

Backups *

*Control is recommended at Level 2 and required at Level 3

Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested.

Additional Information or Explanation

 
Centralized Event Logging  

Ensure that the asset is configured to forward log data to ITS centralized logging.

Additional Information or Explanation

 
Configuration Change Control 
Ensure that changes are implemented in a measured and secure manner.  
Environmental Protection  

Ensure that environmental controls are in place to protect UTHSC assets.

Additional Information or Explanation

 
Incident Detection and Response  

Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs.

Additional Information or Explanation

 
Least Functionality   Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs.  
Least Privilege   Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions.  
Multi-factor Authentication   Ensure that multi-factor authentication is enabled for access to UTHSC data.  
Removable and Physical Media Protection   Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards.  

Role Based Training

Ensure that users with elevated permissions or access to highly sensitive/critical data or systems have training commensurate with their access and responsibilities.  

Secure Software Development

 

Ensure that secure software development practices were used to develop associated software and services.

Additional Information or Explanation

 

System/Network Diagram *

*Control is recommended at Level 2 and required at Level 3

Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows.

Additional Information or Explanation

 
Threat Monitoring

Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk.

Additional Information or Explanation

Links to Documents
Documents under development
 
Transmission Integrity & Confidentiality   Ensure that asset communications across networks are appropriately secured and protected.  
Vendor Contracts

Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards.

Additional Information or Explanation

 
Audit Review, Analysis, and Reporting
Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders.    
Business Continuity Planning

Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure.

Additional Information or Explanation

   
Centralized Enterprise Authentication   Ensure that centralized enterprise authentication is leveraged to enforce authentication and authorization controls. Examples of this include CAS, SAML, Active Directory, LDAP, or other services that leverage a UT NetID.
   
Continuous Monitoring

Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents.

Additional Information or Explanation

   
Insider Threat Monitoring
Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring.    
Plan of Action and Milestones (POAM)
Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed.    
Regulatory/Statutory Requirements
Ensure that all applicable regulatory or statutory security requirements are in place.    
Secure Architecture Design   Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications.    
System Interconnections

Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted.

Additional Information or Explanation

   
System Security Plan/Assessments
Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system and includes diagrams, an assessment of the necessary security controls, and an assessment of any identified risks.    
Vendor Due Diligence Review

Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information.

Additional Information or Explanation

   
Name Recurring? What to Do

Level 1

Low

Level 2

Moderate

Level 3

High

Asset Management and Lifecycle  

Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data.

Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. 

Additional Information or Explanation

Asset Removal, Transfer, and Disposal   Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer.

Baseline Configurations ⁺

⁺Control is recommended at Level 1 and required at Level 2

 

Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.).

Additional Information or Explanation

Boundary Protection  

Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset.

Additional Information or Explanation

Enable system logging  

Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards.

Additional Information or Explanation

Identity Management and Access Controls   Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices.
Incident Reporting and Response
Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting.
Inventory   Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards.
Patch Management
Ensure patches are applied according to the UTHSC Patch Management Standard.
Physical Security    Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data.
Security Categorization, Impact Assessment, and Ownership   Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory.
System Use Notification (Logon Banner)   Ensure that the asset has a login banner notifying them of acceptable use.
Vulnerability Management
Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard.
Access Control Reviews
Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian.  

Backups *

*Control is recommended at Level 2 and required at Level 3

Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested.

Additional Information or Explanation

 
Baseline Configurations   Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.).  
Centralized Event Logging  

Ensure that the asset is configured to forward log data to ITS centralized logging.

Additional Information or Explanation

 
Configuration Change Control 
Ensure that changes are implemented in a measured and secure manner.  
Encryption at Rest  

Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard.

 
Environmental Protection  

Ensure that environmental controls are in place to protect UTHSC assets.

Additional Information or Explanation

 
Least Functionality   Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs.  
Least Privilege   Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions.  
Multi-factor Authentication   Ensure that multi-factor authentication is enabled for access to UTHSC data.  
Removable and Physical Media Protection   Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards.  

Secure Software Development

 

Ensure that secure software development practices were used to develop associated software and services.

Additional Information or Explanation

 

System/Network Diagram *

*Control is recommended at Level 2 and required at Level 3

Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows.

Additional Information or Explanation

 
Threat Monitoring

Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk.

Additional Information or Explanation

Links to Documents
Documents under development
 
Transmission Integrity & Confidentiality   Ensure that asset communications across networks are appropriately secured and protected.  
Vendor Contracts

Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards.

Additional Information or Explanation

 
Audit Review, Analysis, and Reporting
Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders.    
Business Continuity Planning

Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure.

Additional Information or Explanation

   
Continuous Monitoring

Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents.

Additional Information or Explanation

   
Plan of Action and Milestones (POAM)
Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed.    
Regulatory/Statutory Requirements
Ensure that all applicable regulatory or statutory security requirements are in place.    
Secure Architecture Design   Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications.    
System Interconnections

Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted.

Additional Information or Explanation

   
System Security Plan/Assessments
Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system, diagrams, an assessment of the necessary security controls, and an assessment of any identified risks.    
Vendor Due Diligence Review

Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information.

Additional Information or Explanation

   
Name Recurring? What to Do

Level 1

Low

Level 2

Moderate

Level 3

High

Asset Management and Lifecycle  

Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data.

Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. 

Additional Information or Explanation

Asset Removal, Transfer, and Disposal   Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer.
Boundary Protection  

Ensure that boundary protections (network firewall, host-based firewall) are in place to appropriately protect the asset.

Additional Information or Explanation

Enable system logging  

Ensure that the asset is capable of and configured to generate audit logs according to UTHSC Audit and Logging Standards.

Additional Information or Explanation

Encryption at Rest   Ensure that encryption is in place for the asset according to the UTHSC Encryption Standard.
Identity Management and Access Controls   Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices.
Incident Reporting and Response
Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting.
Inventory   Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards.
Malware Protection   Ensure that all endpoints or systems accessing UTHSC resources have up-to-date Anti-malware software installed and running according to UTHSC Antivirus/Anti-malware Standards.
Multi-factor Authentication for anything with External Access   Ensure that multi-factor authentication is enabled for all externally facing systems.
Patch Management
Ensure patches are applied according to the UTHSC Patch Management Standard.
Physical Security    Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data.
Security Awareness Training
Ensure that users have received new user and annual security awareness training.
Security Categorization, Impact Assessment, and Ownership   Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory.
System Use Notification (Logon Banner)   Ensure that the asset has a login banner notifying them of acceptable use.
Vulnerability Management
Ensure the asset is within the scope of UTHSC vulnerability scanning and remediate any identified vulnerabilities according to the UTHSC Vulnerability Management Standard.
Access Control Reviews
Ensure that access rights and permissions are periodically reviewed by the Asset Owner and Custodian.  

Backups *

*Control is recommended at Level 2 and required at Level 3

Ensure that backups are in alignment with Recovery Point and Recovery Time Objectives and are conducted, maintained, and tested.

Additional Information or Explanation

 
Baseline Configurations   Ensure that industry-approved baseline configurations or best practices are used to configure the asset to protect the confidentiality, integrity, and availability of UTHSC assets (i.e. CIS Benchmarks, OWASP, vendor white papers, etc.).  
Centralized Event Logging  

Ensure that the asset is configured to forward log data to ITS centralized logging.

Additional Information or Explanation

 
Configuration Change Control 
Ensure that changes are implemented in a measured and secure manner.  
Environmental Protection  

Ensure that environmental controls are in place to protect UTHSC assets.

Additional Information or Explanation

 
Incident Detection and Response  

Ensure that controls are in place to detect/prevent security incidents and measures are in place to respond appropriately. This may include manual or automated processes to review failed logins or activity by admins or using security tools that perform automated log analytics or endpoint detection and response. This includes monitoring performance and capacity management for operational needs.

Additional Information or Explanation

 
Least Functionality   Ensure that the asset is configured to operate according to the principle of least functionality. This ensures that only the necessary components and features of the asset are enabled according to business needs.  
Least Privilege   Ensure that privileged accounts are identified and that access to both privileged and standard accounts and services are authorized in accordance with the principle of least privilege and are used only as necessary to perform necessary functions.  
Multi-factor Authentication   Ensure that multi-factor authentication is enabled for access to UTHSC data.  
Removable and Physical Media Protection   Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards.  
Role Based Training
Ensure that users with elevated permissions or access to highly sensitive/critical data or systems have training commensurate with their access and responsibilities.  
Secure Software Development  

Ensure that secure software development practices were used to develop associated software and services.

Additional Information or Explanation

 

System Diagram *

*Control is recommended at Level 2 and required at Level 3

Ensure that up-to-date system and network diagrams exist to illustrate the interconnectivity and communication paths between the assets that make up the system and all associated data flows.

Additional Information or Explanation

 
Threat Monitoring

Ensure that threat intelligence is received from vendors and information-sharing sources to identify potential vulnerabilities or areas of risk.

Additional Information or Explanation

Links to Documents
Documents under development
 
Transmission Integrity & Confidentiality   Ensure that asset communications across networks are appropriately secured and protected.  
Vendor Contracts

Ensure that vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information have a written contract that includes the UTHSC Security Addendum requiring the same level of security protections mandated by UTHSC standards.

Additional Information or Explanation

 
Audit Review, Analysis, and Reporting
Ensure that the results of security audits or assessments and periodic security metrics/reports are provided to the appropriate stakeholders.    
Business Continuity Planning

Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure.

Additional Information or Explanation

   
Centralized Enterprise Authentication    Ensure that centralized enterprise authentication is leveraged to enforce authentication and authorization controls. Examples of this include CAS, SAML, Active Directory, LDAP, or other services that leverage a UT NetID.
   
Continuous Monitoring

Ensure that controls are in place to continually monitor the security state of the asset and respond to detected incidents.

Additional Information or Explanation

   
Insider Threat Monitoring
Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring.    
Penetration Testing
Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring.    
Plan of Action and Milestones (POAM)
Ensure that all remedial actions to correct system deficiencies are documented and monitored and that any accepted risk is periodically reviewed.    
Regulatory/Statutory Requirements
Ensure that all applicable regulatory or statutory security requirements are in place.    
Secure Architecture Design   Ensure that assets are protected through the application of the principles of least privilege and function by utilizing network segmentation for only necessary network communications.    
System Interconnections

Ensure that Interconnection Security Agreements are in place for all system interconnections and that annual reviews are conducted.

Additional Information or Explanation

   
System Security Plan/Assessments
Ensure that a System Security Plan exists for the assets that encompass the entirety of the system. This Plan outlines all elements of the system, diagrams, an assessment of the necessary security controls, and an assessment of any identified risks.    
Vendor Due Diligence Review

Ensure that a due diligence assessment is conducted for vendors or 3rd party service providers who collect, process, host, or store UTHSC information or have access to UTHSC information.

Additional Information or Explanation

   
Name Recurring? What to Do

Level 1

Low

Level 2

Moderate

Level 3

High

Asset Management and Lifecycle  

Ensure that the lifecycle of the asset is managed and maintained from procurement through disposal to protect the confidentiality, integrity, and availability of UTHSC data.

Implementation of management and maintenance controls will be different depending on the type of deployment. UTHSC bears more responsibility for the management and maintenance of on-premises systems whereas Vendors or Service Providers may bear more responsibility for cloud applications and services. It is the responsibility of the System Owner and System Custodian to ensure that the shared security responsibility for management and maintenance of the asset between the vendor and UTHSC is clearly understood and to ensure that each party is acting accordingly. This may require reviewing the contract to understand the shared security responsibility, service level agreements, and other elements of asset management, maintenance, and security. 

Additional Information or Explanation

Asset Removal, Transfer, and Disposal   Ensure that assets are removed, transferred, and disposed of in a manner that protects UTHSC data. This includes ensuring that your department understands ITS disposal requirements and the UTHSC surplus process to ensure assets are disposed of in a secure manner. If this is a cloud application or service, you may need to review the contract to ensure requirements are addressed in the contract for the disposition of UTHSC data. If your department has processes in place to ensure these requirements are followed, this would be considered "Well Defined or Fully Implemented." If your department is unaware of the processes or assets are not disposed of accordingly, please select the most appropriate answer.
Identity Management and Access Controls   Ensure that appropriate identification and authentication controls are in place per UTHSC Access Control and Authentication Standards and Practices.
Incident Reporting and Response
Ensure that users are aware of their responsibilities to report potential or actual security incidents and are aware of the processes for reporting.
Inventory   Ensure that all UTHSC asset/system/data components are appropriately inventoried according to UTHSC Asset Management Standards.
Physical Security    Ensure that physical security controls are in place to protect assets that store, transmit, or process UTHSC data.
Security Categorization, Impact Assessment, and Ownership   Ensure that the asset has been classified and that the classification, Asset Owner, Asset Custodian, and impact ratings have been documented in the asset inventory.
Environmental Protection  

Ensure that environmental controls are in place to protect UTHSC assets.

Additional Information or Explanation

 
Removable and Physical Media Protection   Ensure that all physical media or electronic media stored on removable devices is protected according to UTHSC standards.  
Business Continuity Planning

Ensure that the asset is included in the Business Impact Analysis and Business Continuity Plan and that appropriate Disaster Recovery Plans and Incident Response Plans for the Asset exist and have been appropriately tested. This should include an understanding of the asset and its role in the supply chain and critical infrastructure.

Additional Information or Explanation

   
Insider Threat Monitoring
Ensure that controls and processes are in place to detect/prevent insider threats. This may include controls like separation of duties, data loss prevention tools, or enhanced system/user monitoring.    
Regulatory/Statutory Requirements
Ensure that all applicable regulatory or statutory security requirements are in place.    
Transmission Confidentiality - Fax Protections
Ensure that faxes with sensitive information are sent in a manner that protects UTHSC data.    

 

Jun 26, 2024