Contents
4.1 Information Security Governance Objectives
4.2 Cybersecurity Risk Management Objectives
4.3 Personnel & Third-Party Security Objectives
4.4 Awareness & Training Objectives
4.5 Information Data Protection & Privacy Objectives
Sec. 5 Compliance and Enforcement
Sec. 1 Purpose
This Policy sets the objectives for Information Security Organization, Personnel, and Privacy and the corresponding Standard requirements which are located within the UTS 165 Standards SharePoint site*: (UT Credential Required) UTS 165.1.1 Information Security Governance, UTS 165.1.2 Cybersecurity Risk Management, UTS 165.1.3 Personnel & Third Party, UTS 165.1.4 Awareness & Training, UTS 165.1.5 Information Data Protection & Privacy, and UTS 165.1.6 Acceptable Use Standard.
Sec. 2 Scope
This Policy contains the objectives for configuring and enforcing the established governance and the appropriate safeguards to protect critical assets, system components, other devices, data, and IT facilities from a variety of threats including but not limited to security threats and user and third party related security threats that could impact UT System infrastructure.
Refer to the UTS 165 Definitions (UT Credential Required) for the definitions of the italicized terms used in this Standard.
Sec. 3 Authority
The System Administration and Institutional roles that have the authority to implement, enforce, and support the Objectives set forth in UTS 165 parent policy.
Sec. 4 Policy Objectives
4.1 Information Security Governance Objectives
4.1.1 Information Security Strategy:
An Information security program and strategy must be established, documented, reviewed, approved, communicated, and maintained for protecting UT Institution assets and data from threats to ensure Institutions can achieve their mission. The strategy and Information security program must include a risk-based approach for the identification and adoption of effective controls.
Compliance References:
NIST 800-53: AC-01, AT-01, AU-01, CA-01, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PL-10, PL-11, PM-01, PS-01, PT-01, PM-01, PM-05, PM-05(01), PM-06, PM-07, PM-08, PM-14, PM-16, PM-23, PS-01, PT-01, RA-01, SA-01, SC-01. SI-01, SR-01
TAC202: 202.74, 202.76
DIR: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PL-10, PL-11, PM-1, PM-7, PM-5, PM-6, PM-14, PM-16, PS-1, PT-1, RA-1, SA-1, SC-1. SI-1, SR-1
Supporting Documents:
UTS 165.1.1 Information Security Governance Standard (UT Credential Required)
4.1.2 Information Security Governance:
An information security governance framework must be established and maintained to ensure that information security risks are appropriately managed to protect UT Institution assets and data, and that these risks are aligned with the strategic objectives of the Institutions. The framework must include establishing and maintaining an oversight structure for the Information security program, to include the Agency Head, the Chief Business Officer, and other appropriate senior executives responsible for achieving the systemwide mission.
Compliance References:
NIST 800-53: PM-02, PM-03, PM-04, PM-15, PM-19, PM-29, SA-02
TAC202: 202.7(b)(2), 202.71, 202.75(4)
DIR: PM-2, PM-3, PM-4, PM-15
Supporting Documents:
UTS 165.1.1 Information Security Governance Standard (UT Credential Required)
4.1.3 Information Security Documentation:
Information security Policies, Standards, and Operating Procedures, as well as a process to implement and monitor compliance with these documents, must be established, maintained, approved by management, and acknowledged by applicable users and interested parties based on their contractual agreements.
Compliance References:
NIST 800-53: AC-01, AT-01, AU-01, CA-01, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PM-01, PS-01, PT-01, PM-01, PM-08, PM-14, PM-25, PS-01, PT-01, RA-01, SA-01, SC-01. SI-01, SR-01
TAC202: 202.74, 202.76
DIR: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1, PS-1, PT-1, PM-1, PS-1, PT-1, RA-1, SA-1, SC-1. SI-1, SR-1
Supporting Documents:
UTS 165.1.1 Information Security Governance Standard (UT Credential Required)
4.1.4 Legal, Statutory, Regulatory, and Contractual Requirements:
Processes must be defined and implemented to align with the legal, statutory, regulatory, and contractual requirements relevant to information security and privacy.
Compliance References:
NIST: PM-27
TAC202: 202.73(b), 202.74
DIR: N/A
Supporting Documents:
UTS 165.1.1 Information Security Governance Standard (UT Credential Required)
4.2 Cybersecurity Risk Management Objectives
4.2.1 Information Risk Management Framework:
An information risk management framework must be defined, implemented, reviewed, and approved which includes establishing a security risk assessment process that produces consistent, valid, and comparable results, process for risk remediation, and criteria for mitigation / acceptance of risks.
Compliance References:
NIST 800-53: CA-02, CA-02(01), CA-02(03), CA-06, CA-07, CA-07(01), CA-07(03), PM-09, PM-10, PM-31, RA-03, RA-03(01)
TAC202: 202.71, 202.74(a)(1), 202.74(a)(2)(B), 202.75
DIR: CA-2, CA-6, CA-7, PM-9, PM-10, PM-31
Supporting Documents:
UTS 165.1.2 Cybersecurity Risk Management Standard (UT Credential Required)
4.2.2 Information Security Risk & Control Assessment:
Information security risk and control assessment processes must be defined and implemented, including assessing compliance with in-scope state, regulatory, and contractual requirements, as well as identification, reporting, analysis, prioritization, and remediation of risks.
Compliance References:
NIST 800-53: CA-07, CA-07(01), CA-07(03), CA-07(04), CA-07(06)
TAC202: 202.76(c), 202.73(a), 202.73(c)
DIR: CA-7
Supporting Documents:
UTS 165.1.2 Cybersecurity Risk Management Standard (UT Credential Required)
4.2.3 Vendor Risk Management:
Processes to identify and manage the information and privacy risks associated with the use of vendor products or services must be defined and implemented, including processes to evaluate vendors to identify information security and privacy requirements and processes to periodically assess vendor security posture, controls, and compliance with defined information security requirements and privacy requirements, when applicable, to address risks.
Compliance References:
NIST 800-53: SA-04, SA-09, SA-09(01)
TAC202: 202.75, 202.77
DIR: SA-4, SA-9,
Supporting Documents:
UTS 165.1.2 Cybersecurity Risk Management Standard (UT Credential Required)
4.2.4 High Risk Asset Review:
High risk assets must be periodically reviewed by the UT System Administration Risk Management Executive Committee (RMEC).
Compliance References:
NIST 800-53: N/A
TAC202: N/A
DIR: N/A
Supporting Documents:
UTS 165.1.1 Information Security Governance Standard (UT Credential Required)
4.3 Personnel & Third-Party Security Objectives
4.3.1 Information Security & Privacy Responsibilities for Vendors:
Processes must be defined and implemented to establish defined information security and privacy terms and conditions for vendors that view, store, process, or transmit university records and data to ensure vendors follow their defined responsibilities and uphold UT System and UT Institution standards. Requirements and responsibilities are based on the type of vendor product or service provided, classification of data, and any applicable risk assessment results.
Compliance References:
NIST 800-53: AC-20
TAC202: 202.72(a)(2), 202.77
DIR: AC-20
Supporting Documents:
UTS 165.1.3 Personnel & Third-Party Security Standard (UT Credential Required)
4.3.2 Personnel Screening:
Processes must be defined and implemented to conduct screenings of potential users in collaboration with Human Resources (HR) and Privacy Officers (PO), including background verification checks, for all employment or engagement candidates, taking into consideration applicable laws, regulations, and ethics. Institutions must define the frequency and depth of screening proportional to business requirements, classification of the data to be accessed, and perceived risks of the position.
Compliance References:
NIST: PS-02, PS-03, PS-03(01)
TAC202: 202.75
DIR: PS-2, PS-3
Supporting Documents:
UTS 165.1.3 Personnel & Third-Party Security Standard (UT Credential Required)
4.3.3 Employee Position Descriptions, Rules, Terms, & Conditions of Employment:
Position descriptions must be established and maintained that incorporate information security and privacy roles and responsibilities as applicable. Additionally, information security and privacy responsibilities and rules of behavior of all UT System users must be included in employment terms and conditions / agreements and other materials provided to individuals prior to employment to make employment candidates aware of security and privacy responsibilities associated with the role. Descriptions should take into account requirements from various regulations, including but not limited to HIPAA.
Compliance References:
NIST 800-53: PL-04, PL-04(01), PS-02, PS-06, PS-09
TAC202: 202.72(a)(3), 202.75
DIR: PL-4. PS-2, PS-6, PS-9
Supporting Documents:
UTS 165.1.3 Personnel & Third-Party Security Standard (UT Credential Required)
4.3.4 Offboarding Separated Users:
Processes to offboard separated (voluntary or non-voluntary) or transfer users must be defined and implemented in collaboration with Human Resources (HR) that ensure protection against loss or compromise of the UT Institution assets, data and other information resources.
Compliance References:
NIST: PS-04, PS-04(02), PS-05
TAC202: N/A
DIR: PS-4, PS-5
Supporting Documents:
UTS 165.1.3 Personnel & Third-Party Security Standard (UT Credential Required)
4.3.5 Disciplinary Process:
A disciplinary process must be formalized for users in violation of information security and privacy Policies, Standards, and Procedures. The disciplinary process must be clearly communicated to users for awareness of the consequences of not following information security and privacy documented minimum requirements.
Compliance References:
NIST 800-53: PS-08
TAC202: 202.72 (a)(3)
DIR: PS-8
Supporting Documents:
UTS 165.1.3 Personnel & Third-Party Security Standard (UT Credential Required)
4.4 Awareness & Training Objectives
4.4.1 Information Security & Privacy Awareness, Education, and Training:
An information security and privacy training and awareness program must be defined and implemented to provide users with appropriate information security and privacy awareness, education, and training as relevant for their job function and on UT Institution information security Policies and Standards.
Compliance References:
NIST 800-53: AT-02, AT-02(01), AT-02(02), AT-02(03), AT-02(04), AT-02(06), AT-03, AT-03(01), AT-03(02), AT-03(03), AT-03(05), AT-04
TAC202: 202.7(b)(4), 202.74(b)(2), 202.74(b)(3)
DIR: AT-2, AT-2(2), AT-3, AT-4
Supporting Documents:
UTS 165.1.4 Awareness & Training Standard (UT Credential Required)
4.5 Information Data Protection & Privacy Objectives
4.5.1 Use of Information/Data:
A data protection program must be defined, documented, and implemented that includes rules and procedures for the acceptable use, handling, retention, and disposal of data based on classification and in alignment with required privacy regulations and frameworks, including rules for the usage and protection of operational / production data in non-production environments.
Compliance References:
NIST 800-53: AC-20(03), AC-22, PT-02, PT-02(02), SC-28, SI-12, SI-12(01), SI-12(02), SI-12(03), SI-19, SI-19(03), SI-19(04), SI-19(05)
TAC202: 202.72(a)(1)(1), 202.72(b)
DIR: AC-22, SI-12
Supporting Documents:
UTS 165.1.5 Information Data Protection & Privacy Standard (UT Credential Required)
4.5.2 Privacy Rights:
Requirements must be defined and implemented that establish data privacy rights of individuals, including the right to be informed, access, rectify, erase, restrict, receive, and object to the use of their personal information, in alignment with required privacy regulations and frameworks.
Compliance References:
NIST 800-53: AC-23, PT-03, PT-03(02), PT-04, PT-05, SI-18(04), SI-18(05)
TAC202: N/A
DIR: N/A
Supporting Documents:
UTS 165.1.5 Information Data Protection & Privacy Standard (UT Credential Required)
4.5.3 Inventory & Labeling of Information/Data:
An inventory of data must be developed to ensure UT System critical data is identified and labeled / marked to support appropriate protection of data based on the classification.
Compliance References:
NIST 800-53: AC-16, AC-16(08), AC-16(09), AC-16(10)
TAC202: N/A
DIR: N/A
Supporting Documents:
UTS 165.1.5 Information Data Protection & Privacy Standard (UT Credential Required)
4.5.4 Data Leakage Detection & Prevention:
Data leakage prevention measures must be identified and applied to networks, assets, and any other devices that process, store, or transmit critical data to detect and prevent the unauthorized disclosure or extraction of data.
Compliance References:
NIST 800-53: AC-04(03), AC-04(06), AC-04(08), AC-04(09), AC-04(19), AC-04(20), CA-03, SC-08, SC-08(01), SC-08(02), SC-08(04), SC-08(05)
TAC202: N/A
DIR: CA-3, SC-8
Supporting Documents:
UTS 165.1.5 Information Data Protection & Privacy Standard (UT Credential Required)
4.5.5 Data Masking & Cryptography:
Data masking and approved encryption methods / techniques must be defined and implemented to protect data from unauthorized access, modification, disclosure, or theft in alignment with classifications and business requirements, taking applicable legislation into consideration.
Compliance References:
NIST 800-53: SC-12, SC-12(01)
TAC202: N/A
DIR: SC-12
Supporting Documents:
UTS 165.1.5 Information Data Protection & Privacy Standard (UT Credential Required)
4.6 Acceptable Use Objectives
4.6.1 Acknowledge Acceptable Use Policy (AUP):
An Acceptable Use Policy (AUP) containing rules and guidelines that outlines the acceptable behavior of users when accessing and utilizing the resources provided by the network or system for any computer network, system, or technology provided to the user. Users granted access to technology resources of UT System must acknowledge the rules of use of these resources annually. The AUP must include the ability for users to indicate their acknowledgement of the AUP and must include clear notice to the user that failure to abide by the AUP may result in disciplinary action or immediate cessation of use of the provided technology resource or other enforcement language as created by the Institution.
Compliance References:
NIST 800-53: PM-09, PL-04
TAC202:72
DIR: N/A
Supporting Documents:
UTS 165.1.6 Acceptable Use Standard (UT Credential Required)
4.6.2 Clear Desk and Clear Screen:
Rules must be defined and communicated for the protection of physical data (hardcopies), unattended electronic media and computing devices, and data displayed on screens (whether from an individual’s computer or in conference rooms / collaboration spaces) or via other physical means (e.g., sticky notes on desk).
Compliance References:
NIST 800-53: AC-03
TAC202: N/A
DIR: N/A
Supporting Documents:
UTS 165.1.6 Acceptable Use Standard (UT Credential Required)
4.6.3 Management and General Users Information Security & Privacy Responsibilities:
Responsibilities and qualifications must be defined, documented, and communicated for UT Institution users with information security and privacy responsibilities.
Compliance References:
NIST 800-53: AT-03, PM-09, PL-04, SI-04
TAC202: 202.7, 202.71, 202.72, 202.73(d)
DIR: AT-3, PM-9, PL-4, SI-4, Prohibited Technologies
Supporting Documents:
UTS 165.1.6 Acceptable Use Standard (UT Credential Required)
4.6.4 User Devices:
Security requirements must be defined and implemented for electronic media and computing devices to protect data stored on, processed by, or accessible via UT Institution provided, owned, and operated devices from unauthorized access.
Compliance References:
NIST 800-53: AC-19, AC-19(04), AC-20(02), PS-02
TAC202: N/A
DIR: AC-19
Supporting Documents:
UTS 165.1.6 Acceptable Use Standard (UT Credential Required)
4.6.5 Mobile Device Management & Protection:
A mobile device management program must be defined and implemented that includes appropriate security controls to protect data on UT Institution owned mobile devices as well as personally owned devices (Bring Your Own Device (BYOD) that store, process, transmit, or access university records (data)).
Compliance References:
NIST: AC-19
TAC202: N/A
DIR: AC-19
Supporting Documents:
UTS 165.1.6 Acceptable Use Standard (UT Credential Required)
Sec. 5 Compliance and Enforcement
UTS 165 was developed with consideration of and alignment to applicable laws and regulations, including the Texas Administrative Code Chapter 202 Subchapter C, the Texas Department of Information Resources (DIR) Security Controls Catalog, NIST 800-53 Revision 5.1.1 Security and Privacy Controls for Information Systems and Organizations, and other Privacy regulatory obligations and frameworks. Further, the objectives and requirements established in UTS 165 reflect industry best practices and internal systemwide business goals.
It is the collaborative responsibility of the roles outlined in the Authority section of this Policy to enforce these UTS 165 objectives and ensure compliance with the corresponding UTS 165 Standard requirements.
Compliance with UTS 165 Policies and Standards is mandatory unless otherwise contractually documented and agreed, or an exception to a Standard requirement is granted. In the limited and unlikely circumstance that compliance with a requirement in UTS 165 cannot be met and no feasible remediation exists,exception to an otherwise required security control may be granted by the Institutional Information Security Officer (ISO) as authorized by applicable law and UT System and Institution Policy. Users must submit an exception request to their ISO to evaluate the exception request, assess the potential risks associated with non-compliance, and determine the feasibility of granting an exception. Exceptions must be based on an assessment of business requirements weighed against the likelihood of an unauthorized exposure, and the potential adverse consequences for users, other organizations, or the Institution were an exposure to occur. If an exception is granted by the ISO, compensating controls may be implemented to offset the risk of the exception. All approved exceptions must be documented at the Institution-level to maintain an exception log, and Institutions must develop and document their own exceptions related processes in accordance with this Policy. Note that exceptions will not be granted to requirements contained in UTS 165.1.6 Acceptable Use Standard.
Violations of UTS 165 may lead to disciplinary action, up to and including in-voluntary separation from employment.
*Note: If you have accessed any of UT System’s resources in Office 365, you will already have access to this site. You can self-register for UT System guest access by sending a blank email from your UT institutional email address to utguest@utsystem.edu. After 15 minutes, your guest account will automatically be created and you will be able to access the UT Systemwide Contracts site with your UT institutional ID.
