Office of Cybersecurity and ITS Standards and Practices

Access Control | Awareness & Training | Audit & Accountability | Contingency Planning | Computer Security | General Security Provisions | Incident Response | Personnel Security | Physical & Environmental Protections | Risk Assessment | Risk Management | System Communications & Protections | General ITS

---

Access Control

Standard-InfoSec-AC-001-Access Control

• Practice-InfoSec-AC-001.02-Privileged Account Management  
• Practice-InfoSec-AC-001.04-VPN Access

Standard-InfoSec-AC-002-Authentication

• Practice-InfoSec-AC-002.02-Password Management and Complexity   
• Practice-InfoSec-AC-002.04-NetID Account Management

Awareness & Training

Standard-InfoSec-AT-001-Training and Awareness

• Practice-InfoSec-AT-001.01-New Employee InfoSec Training
• Practice - InfoSec-AT-001.02-Refresher InfoSec Training Course

Audit & Accountability

Standard-InfoSec-AU-001-Audit & Logging Accountability

Standard-InfoSec-AU-002-Logging and System Activity Review

• Practice-InfoSec-AU-002.01-Logging and System Activity Review

Contingency Planning

Standard - InfoSec-CP-001 - Contingency Planning

• Practice - InfoSec-CP-001.02 - IT Resource Backups
• Practice - InfoSec-CP-001.04 - Contingency Plan

Standard - InfoSec-CP-002 - Information Security during a Disaster

Computer Security

Standard-InfoSec-CS-001-Systems and Communications Protection

General Security Provisions

Standard-InfoSec-GP-001-UTHSC Information Security Program

• Practice-InfoSec-GP-001.01-Information Security Roles and Responsibilities
• Practice-Infosec- GP-001.02-Security Exceptions and Exemptions to ITS Standards and Practices
• Practice-InfoSec-GP-001.04-Information Security Violations

Standard-InfoSec-GP-002-Data Classification

Standard-InfoSec-GP-003-Expectation of Privacy

• Practice-ITS-GP-003.02-Third-Party Access to Accounts and Data

Standard-InfoSec-GP-004-Acceptable Use of IT Resources

Standard-InfoSec-GP-005-Data Security

Standard-InfoSec-GP-007-Asset Management

• Practice-InfoSec-GP-007.01-Device Life Cycle Security   
• Practice-InfoSec-GP-007.02-Antivirus / Antimalware Protection  **NEW** 
• Practice-InfoSec-GP-007.03-Personally Owned Device Security  **NEW**

Incident Response

Standard-InfoSec-IR-001-Security Incident Response

Personnel Security

Standard - InfoSec-PS-001 - Personnel Security

Physical & Environmental Protections

Standard-InfoSec-PE-001-Physical Security of Information Resources and Related Facilities

• Practice-InfoSec-PE-001.02-Physical Security Server Rooms
• Practice-InfoSec-PE-001.04-Physical Security Server
• Practice-InfoSec-PE-001.06-Physical Security Storage Devices and Media
• Practice-InfoSec-PE-001.08-Physical Security End User IT Resource
• Practice-InfoSec-PE-001.10-Physical Security Communication Closets

Risk Assessment

Standard-InfoSec-RA-001 – Risk Assessment

Risk Management

Standard-InfoSec-RM-001 – Risk Management     

Standard-InfoSec-RM-002 - Vulnerability Management    

Standard-InfoSec-RM-003 - Patch Management     

System Communications & Protections

Standard-InfoSec-SC-001-Network Security

• Practice-InfoSec-SC-001.02-Network Security Infrastructure

Standard-InfoSec-SC-002-Computer Security

• Practice-InfoSec-SC-002.04-Personally Managed Computing Devices
• Practice-InfoSec-SC-002.08-Encryption for mobile computing and storage devices

Standard-InfoSec-SC-003-Application System Security

• Practice-InfoSec-SC-003.02-Application System Security Features

Standard - InfoSec-SC-005-Encryption

General ITS

Standard-ITS-GP-001-Standard on UTHSC Information Technology Standards and Practices

• Practice-ITS-GP-001.01-Framework for Developing Standards and Practices

Standard-ITS-GP-004-Definitions

Standard-ITS-GP-005-Email

• Practice-ITS-GP-005.02-Email Best Practices