The University of Tennessee System
 

Policy Search

This page has moved to a new site.
You will be sent there in 5 seconds.

Or you can click this link.

Please update your bookmarks.



UNIVERSITY OF TENNESSEE SYSTEM POLICY
INFORMATION TECHNOLOGY

POLICY NO: IT0115 SUBJECT:  INFORMATION AND COMPUTER SYSTEM CLASSIFICATION  
EFFECTIVE: 05/10/2013 REVISION NO: 2

TOPICS:
General Policy Definitions
Responsibilities References
Special Notes

OBJECTIVE:

This page has moved to a new site.
You will be sent there in 5 seconds.

Or you can click this link.

Please update your bookmarks.



Provide policies for information, and information system categorization, and establish Federal Information Processing Standard 199 (FIPS 199) as the University of Tennessee's information categorization model.

This process provides a guide for the identification of information assets and to determine the level of risk to disclosure, alteration, and/or destruction of the information and the impact to the University of Tennessee. The information classification policy provides the following benefits:

  • A guide to determine the value of information to the university.
  • An aid in creating controls that limit the unauthorized disclosure, alteration, and destruction of information.
  • A mechanism to identify critical information and computer systems that are most valued to the university.
  • A device to identify the protections that apply to specific information and computer systems.

This policy applies to all students, faculty, staff, and others, referred to as users throughout this policy, while accessing, using, or handling the University of Tennessee's information technology resources. In this policy, "users" includes but is not limited to, subcontractors, visitors, visiting scholars, potential students, research associates, grant and contract support personnel, media representatives, guest speakers, and non-university entities granted access. All "users" are required to be familiar with and comply with this policy.


POLICY:

General Policy[top]

Categorize information and information systems according to risk level by applying guidance found in FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 Volumes I and II.

Responsibilities[top]

Information Owners and Information System Owners will:

  1. Identify and document information types stored or processed by each information system.
  2. Select the security impact levels and security category for identified information types.
  3. Document the provisional impact levels associated with the system's information type.
  4. Review the appropriateness of the provisional impact levels based on organizational guidance (see Definitions), and document adjustments to the impact levels.
  5. Determine and assign the security categorization by identifying the highest security impact level.
  6. Select and implement appropriate controls for each system from NIST SP 800-53 "Recommended Security Controls for Federal Information Systems and Organizations" using the baseline established by the Statewide IT Governance Program and with the cooperation of the campus/unit Information Security Officer.

Special Notes[top]

Certain special provisions and requirements, that apply to information classification, are provided to ease the interpretation and implementation process.

  1. The university, except as recognized in the Statement of Policy on Patents, Copyrights, and Licensing retains ultimate ownership of all information.
  2. To ensure proper protection of the university's information, any information or computer system not otherwise classified is presumed to be at least: "FIPS199 Security Category = {(confidentiality: Low), (integrity: Low), (availability: Low)}".
  3. Computer systems meeting the criteria of multiple classification levels must protect the highest level of information on the system or a detailed plan must be provided detailing a clear separation of data and the protections for each classification of data on the system.
  4. All computer systems that handle, process, or store the university's information at an offsite location must adhere to this policy. Contracts with third-party vendors that handle, process, or store the university's information should reflect a requirement that they acknowledge and adhere to this policy.

Definitions[top]

  • Information Owner: Individual with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
  • Information System Owner: Individual responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
  • Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
  • Information Type: A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, or in some instances, by a specific law, policy, or regulation.
  • Organizational Guidance: A campus or institute-specific document that provides guidance for categorizing specific information types (for example: Confidential Information.)
  • Security Categorization: The process of determining the security category for information or an information system. Security categorization methodologies are described Federal Information Processing Standard (FIPS 199) and National Institute for Standards and Technology (NIST) SP 800-60.

References[top]

  1. Federal Information Processing Standards Publication 199: Standards for Security Categorization (FIPS199)
  2. National Institute of Standards and Technology (NIST) Special Publications (SP)
    1. 800-53
    2. 800-60 Volume I
    3. 800-60 Volume II