Cybersecurity Standards

Access Control | Awareness & Training | Audit & Accountability | Configuration Management | Contingency Planning | Computer Security | General Security Provisions | Incident Response | Personnel Security | Physical & Environmental Protections | Risk Management | System Communications & Protections

---

Access Control

AC-001-Access Control

• AC-001.02-Privileged Account Management  
• AC-001.04-VPN Access
• AC-001.06-Third-Party Access to Accounts and Data 
• AC-001.08-Data Center Access    

AC-002-Authentication         

• AC-002.02-Password Management and Complexity   
• AC-002.04-NetID Account Management   

Awareness and Training

AT-001-Training and Awareness

Audit and Accountability

AU-001-Audit and Logging Accountability

AU-002-Logging and System Activity Review

Configuration Management

CM-001-Configuration Management    

Contingency Planning

CP-001-Business Continuity Planning  

CP-002-Information Security during a Disaster

Computer Security

CS-001-Device Life Cycle Security    

CS-002-Personally Owned Device Security  

General Security Provisions

GP-001-UTHSC Information Security Program

• GP-001.01-Information Security Roles and Responsibilities
• GP-001.02-Security Exceptions and Exemptions to ITS Standards and Practices   
• GP-001.04-Information Security Violations

GP-002-Data and System Classification  

GP-003-Expectation of Privacy    

GP-004-Acceptable Use of IT Resources

• GP-004.01-Login Banner      
• GP-004.02-Acceptable Use of Generative AI   
• GP-004.03-Acceptable Use of UT Health Science Center Phones and Service    ***NEW***

GP-005-Data Security 

• GP-005.01-Disposal or Destruction of Electronic & Non-Electronic Media     

GP-006-Email      

GP-007-Asset Management    

• GP-007.02-Antivirus / Antimalware Protection  

Incident Response

IR-001-Security Incident Response

Personnel Security

PS-001 - Personnel Security

Physical and Environmental Protections

PE-001-Physical Security of Information Resources and Related Facilities   

Risk Management

RM-001 – Risk Management     

• RM-001.01-Risk Assessment Process

RM-002 - Vulnerability Management    

RM-003 - Patch Management    

RM-004 - Third Party Risk Management     

System and Communications Protections

SC-001-Network Security

• SC-001.02-Network Security Infrastructure

SC-002-System and Communications Protections

• SC-002.01-Official Communications Use and Protections        

SC-003-Application System Security

• SC-003.02-Application System Security Features

SC-004-Wireless Network Security    

SC-005-Encryption

• SC-005.02-Encryption for Mobile Computing and Storage Devices  

SC-006-Internet of Things Security