The University of Tennessee System
 

Policy Search

This page has moved to a new site.
You will be sent there in 5 seconds.

Or you can click this link.

Please update your bookmarks.



UNIVERSITY OF TENNESSEE SYSTEM POLICY
INFORMATION TECHNOLOGY

POLICY NO: IT0121 SUBJECT:  INFORMATION SECURITY PLAN CREATION AND DATA BREACH NOTIFICATION PROCEDURES  
EFFECTIVE: 01/01/2010  

OBJECTIVE:

This page has moved to a new site.
You will be sent there in 5 seconds.

Or you can click this link.

Please update your bookmarks.



To provide policies for establishing information security plans and data breach notification procedures.


POLICY:

General Policy

1.    Each campus and institute is responsible for creating, approving, maintaining, and implementing an information security plan based on the National Institute of Standards and Technology (NIST) Risk Management Framework.

a.    The security plan must detail who is responsible for accepting risk at each campus and institute.

b.    The security plan must include a data breach notification policy specific to their local campus.

i.   Data breach notification policies must comply with state and federal laws and regulations as well as industry security standards such as the Payment Card Industry-Data Security Standard (PCI-DSS.)

c.    The security plan must include a plan of action and milestones for implementation of controls.

d.    The security plan must be developed within one year of the effective date of this policy, or the responsible party must have a documented schedule for its development.

Responsibilities

2.    Each CIO is responsible for the information security plan specific to their campus or institute.

3.    The CIO for University Wide Administration (UWA) is responsible for the information security plan specific to UWA.