UTS 165.2 Information Security Technology Policy

Identity lifecycle management processes must be defined and implemented, including identity / account types approved for use, approved activities for each account type, and requirements for creation, administration, modification, and revocation. Each UT Institution will participate in the Systemwide Identity Federation managed by the UT System CIO.

Compliance References:

NIST 800-53: AC-02, AC-02(03), AC-02(07), AC-02(09), AC-02(12), IA-02(05), IA-02(08), IA-04, IA-08

NIST 800-63-3, 800-63A, 800-63-B, 800-63-C

TAC202: N/A

DIR: AC-2, AC-2(3), IA-4, IA-8

Supporting Documents:

UTS 165.2.1 Access Management (UT Credential Required)

Roles and duties that are conflicting and require segregation must be defined and access authorizations that support such segregation of duties must be defined and implemented to reduce potential for abuse of privileges and reduce the risk of security incidents by supporting least privileged access.

Compliance References:

NIST 800-53: AC-05, AC-06, AC-06(10)

TAC202: N/A

DIR: AC-5, AC-6

Supporting Documents:

UTS 165.2.1 Access Management (UT Credential Required)

Requirements must be defined and implemented to enforce control of logical access to UT Institution assets and data to ensure only authorized, least privilege access is provided and prevent unauthorized access, including management of access rights, review, modification, and removal. Access controls must include those for user non-privileged, privileged, shared / group, and service accounts.

Compliance References:

NIST 800-53: AC-02(05), AC-03, AC-03(04), AC-03(07), AC-03(08), AC-03(11), AC-06(07), AC-07, AC-08, AC-11, AC-14, IA-02(01), IA-02(02)

TAC202: 202.72(a)(1)(b), 202.72(b)

DIR: AC-3, AC-7, AC-8, AC-14, IA-2(1), IA-2(2)

Supporting Documents:

UTS 165.2.1 Access Management (UT Credential Required)

Security measures for remote access to UT Institution networks and assets must be defined and implemented to protect data accessed and / or processed from / by an external network, asset, or location, including types of remote access allowed, configuration and connection requirements, usage restrictions, and authorization requirements.

Compliance References:

NIST 800-53: AC-17, AC-17(01), AC-17(06), AC-18, AC-18(01), AC-20(04), SC-15

TAC202: 202.72 (a)(3), 202.72 (b)

DIR: AC-17, AC-18, SC-15

Supporting Documents:

UTS 165.2.1 Access Management (UT Credential Required)

Requirements and processes for secure authentication / logon and the use and management of authenticators must be defined and implemented, including authentication types used, logon parameters and notices that must be enforced, and authenticator distribution, protection, revocation, and handling. These requirements must ensure users and devices are uniquely authenticated prior to and while accessing UT Institution assets and data to prevent unauthorized access.

Compliance References:

NIST 800-53: IA-02, IA-02(06), IA-03, IA-05, IA-05(01), IA-06, IA-07, IA-08(02), IA-11

TAC202: 202.72(a)

DIR: IA-02, IA-5, IA-5(1), IA-6, IA-7, IA-11

Supporting Documents:

UTS 165.2.1 Access Management (UT Credential Required)

UT Institution asset and information resource managementprocesses must be defined and implemented to manage assets and information resources throughout the lifecycle of development, acquisition, use, transportation, and disposal in accordance with a defined classification schema and handling requirements.

Compliance References:

NIST 800-53: MP-02, MP-04, MP-04(02), MP-05

TAC202: N/A

DIR: MP-2

Supporting Documents: 

UTS 165.2.2 Asset Management (UT Credential Required)

Methods must be implemented to identify, classify, and inventory UT Institution assets and information resources in the environment in detail to effectively track assets and information resources, define ownership, and ensure proper classification and maintenance, including all assets and information resources essential to critical mission and business functions with recovery time and recovery point objectives.

Compliance References:

NIST 800-53: CM-08, CM-08(01), RA-02, RA-02(01)

TAC202: 202.71(b)(7), 202.74(b)(1)

DIR: CM-8, RA-2

Supporting Documents:

UTS 165.2.2 Asset Management (UT Credential Required)

Rules for the acceptable use of UT Institution assets and information resources, including software licenses as well as assets located off-premises, must be defined, implemented, and communicated to end users of the UT Institution assets and information resources to ensure they are protected, used, and handled appropriately based on risk and contractual, legal, statutory, and regulatory requirements.

Compliance References:

NIST 800-53: CM-10, CM-11, MP-07

TAC202: 202.72(a)(3)DIR: CM-10, CM-11, MP-7

Supporting Documents:

UTS 165.2.2 Asset Management (UT Credential Required)

Processes must be defined and implemented to collect UT Institution assets and information resources in the possession of any individual upon change or separation of their employment, contract, or agreement in order to securely dispose of or reuse the assets or information resources and to document a lost or stolen asset or information resource that is unrecoverable.

Compliance References:

NIST 800-53: MP-06, MP-06(01), PS-04, SR-12

TAC202: N/A

DIR: MP-6, MP-6(1), PS-4, SR-12

Supporting Documents:

UTS 165.2.2 Asset Management (UT Credential Required)

Principles for engineering secure information systems must be established, documented in operational documentation, maintained, and applied to all UT Institution development activities, including assigning authorizing officials for the system.

Compliance References:

NIST 800-53: CA-09, MA-02, MA-03, MA-03(02), MA-03(03), MA-04, MA-05, PL-02, SA-04(01), SA-04(08), SA-05, SA-08, SA-10, SA-11, SA-21, SI-02(04), SC-38, SC-39, SI-02

TAC202: 202.71(b)

DIR: CA-9, MA-2, MA-4, MA-5, PL-2, SA-5, SA-8, SA-10, SA-11, SC-39, SI-2

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Separate environments for production and non-production (development, testing, quality assurance, etc.) must be implemented to protect the production environment and data from unauthorized access and compromise. Ensure that production data is not used for development or testing; if not possible, appropriate protections for the production data must be employed.

Compliance References:

NIST: SA-03(02)

TAC202: N/A

DIR: N/A

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Baseline configurations, including security configurations of hardware, software, services, and networks must be established, approved, documented, and implemented. Processes must be established to monitor and review configurations to detect unauthorized or incorrect changes and to update configurations as needed.

Compliance References:

NIST 800-53: CM-02, CM-02(02), CM-02(03), CM-03, CM-03(02), CM-03(04), CM-03(05), CM-03(07), CM-06, CM-06(02), CM-09

TAC202:

DIR: CM-2, CM-3, CM-6

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

System hardening requirements must be defined and implemented to support configuring UT Institution assets in a manner that provides the least functionality needed for operations.

Compliance References:

NIST 800-53: CM-07, CM-07(01), CM-07(02)

TAC202: N/A

DIR: CM-7

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Planned change types and the requirements for the documentation, security impact analysis, approval, and testing for each change type (including scheduled changes and emergency changes) must be defined. Corresponding change management governance processes must be defined and implemented to support preservation of information security when executing changes to information systems.

Compliance References:

NIST 800-53:  CM-04, CM-04(01), CM-04(02), CM-05, SA-22

TAC202: N/A

DIR: CM-4, CM-5, SA-22

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Procedures and measures must be defined and implemented to securely manage software installation on centralized and decentralized IT operational systems to prevent introduction of vulnerabilities and to support the integrity of these operational systems, including compliance with end user license agreements and terms of service.

Compliance References:

NIST 800-53: CM-07, CM-10, CM-11

TAC202: 202.22 (a)(3), 202.72 (a)(3)

DIR: CM-7, CM-10, CM-11

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Information security requirements for secure coding must be identified, specified, approved, and applied during UT Institution asset development and acquisition.

Compliance References:

NIST 800-53: SI-03

TAC202: N/A

DIR: SI-3

Supporting Documents:

UTS 165.2.3 System Development & Maintenance (UT Credential Required)

Processes must be defined and implemented to identify critical assets as well as information system and technology dependencies for the reliable delivery of critical business functions. Processes must also be defined and implemented to conduct business impact analyses, including consideration for information security, to establish business continuity and alternate capabilities.

Compliance References:

NIST 800-53: CP-02(03), CP-02(08)

TAC202: N/A

DIR: N/A

Supporting Documents:

 UTS 165.2.4 Business Continuity & Disaster Recovery (UT Credential Required)

Business continuity plans must be developed, maintained, and periodically tested for critical business functions and processes that include how information security will be maintained at an appropriate level during disruptions. Business continuity planning must include external service providers, where appropriate, to ensure that they can meet UT Institution needs and provide adequate support during disruptive events.

Compliance References:

NIST 800-53: CP-02, CP-02(01), CP-03, CP-03(01), CP-03(02), CP-04(01), CP-04

TAC202: N/A

DIR: CP-2, CP-3, CP-4

Supporting Documents:

 UTS 165.2.4 Business Continuity & Disaster Recovery (UT Credential Required)

Disaster recovery plans and capabilities must be developed, maintained, and periodically tested to recover information systems to a known state within agreed timeframes after disruption, compromise, or failure, including as a result of security incidents. Disaster recovery planning must include external service providers, where appropriate, to ensure that they can meet Institution needs and provide adequate support during recovery.

Compliance References:

NIST 800-53: CP-02, CP-02(01), CP-03, CP-03(01), CP-03(02), CP-04(01), CP-04

TAC202: N/A

DIR: CP-2, CP-3, CP-4

Supporting Documents:

 UTS 165.2.4 Business Continuity & Disaster Recovery (UT Credential Required)

Methods and processes to generate, store, retain, and protect backup copies of data and software must be implemented and periodically tested to enable recovery of information systems and supporting business processes from loss or corruption, including as a result of security incidents. Backup methods must be implemented for critical data as well as software determined critical by the Institutions.

Compliance References:

NIST 800-53: CP-09, CP-10, CP-10(06)

TAC202: N/A

DIR: CP-9, CP-10

Supporting Documents:

 UTS 165.2.4 Business Continuity & Disaster Recovery (UT Credential Required)

Capacity requirements for information processing, telecommunications, and environmental support of critical and high impact information resources, as determined by business impact analyses, must be defined and implemented. Processes must be established to monitor the use of such information resources to maintain operations during disruptions per business continuity requirements and to ensure failover will be achieved within a defined timeframe.

Compliance References:

NIST 800-53: CP-06, CP-08, CP-08(05), CP-11

TAC202: N/A

DIR: CP-6, CP-8, CP-11

Supporting Documents:

 UTS 165.2.4 Business Continuity & Disaster Recovery (UT Credential Required)

A threat intelligence and management function must be defined and implemented that includes the collection and analysis of information on security threats (threat intelligence), appropriate sharing of threat intelligence information to provide awareness of the UT Institution threat landscape, and threat monitoring capabilities to support timely mitigation and response.

Compliance References:

NIST 800-53: SI-04(24), SI-05

TAC202: 202.73(b)

DIR: SI-5

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Processes must be defined and implemented to identify and evaluate vulnerabilities on UT Institution assets and information resources that store, transmit, or process data to determine the exposure risk and to classify / prioritize vulnerabilities. Requirements for the remediation of vulnerabilities must be defined based on risk and implemented to prevent the exploitation of vulnerabilities.

Compliance References:

NIST 800-53: RA-05, RA-05(02), RA-05(05), RA-05(11), SI-04, SI-04(01), SI-04(04), SI-04(05), SI-04(07), SI-04(12), SI-04(14), SI-04(17), SI-04(19), SI-04(22)

TAC202: N/A

DIR: RA-5, RA-5(2), SI-4

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Requirements and processes must be defined and implemented to support periodic performance of penetration testing in accordance with regulatory requirements to identify vulnerabilities and assess the effectiveness of controls. Penetration testing may also be used to evaluate the ability of the UT Institutions to detect and respond to security incidents and other events.

Compliance References:

NIST 800-53: CA-08

TAC202: N/A

DIR: CA-08

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Effective, up-to-date methods to detect and prevent malicious and / or flawed code on UT Institution assets must be defined and implemented. 

Compliance References:

NIST 800-53: SI-08, SI-08(02), SI-10

TAC202: N/A

DIR: SI-10

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Requirements for the protection of UT Institution networks, network infrastructure and devices, and communications must be defined and implemented to protect Institution assets and data from compromise, including boundary protection, access control, traffic restrictions, and secure communications.  Network protections must include lateral movement defenses and other internal and external traffic restrictions to cover all applicable network threats, including those outside of UT System boundaries.

Compliance References:

NIST 800-53: SC-05, SC-07, SC-07(04), SC-07(05), SC-07(21), SC-10

TAC202: N/A

DIR: SC-5, SC-7

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Processes for acquisition, management, and exit from cloud computing (cloud services) must be defined and implemented to ensure the appropriate level of protection for UT Institution data stored, processed, or transmitted in the cloud is maintained and that cloud services are implemented with effective security protections.

Compliance References:

NIST 800-53: SA-04, SA-09, SR-05

TAC202: 202.77

DIR: SA-4, SA-9, SR-5

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Logging requirements must be defined and implemented for UT Institution assets, including defining event types that must be logged, the information that must be included in the logs, and log management, to identify security incidents and other events.

Compliance References:

NIST 800-53: AU-02, AU-03, AU-04, AU-05, AU-06, AU-08, AU-09, AU-11, AU-12

TAC202: 202.75

DIR: AU-2, AU-3, AU-4, AU-5, AU-6, AU-8, AU-9, AU-11, AU-12

Supporting Documents:

 UTS 165.2.5 Security Monitoring & Vulnerability Management (UT Credential Required)

Mechanisms must be defined, implemented, and communicated for documenting, tracking, and reporting observed or suspected security incidents to the appropriate users (systemwide management, UT Institution management, external entities, etc.) depending on the nature of the incident through the appropriate channels to support timely security incident identification and response. The Institutional Information Security Officer (ISO) is responsible for producing and directly delivering after action reports to institutional executive leadership for incidents that the ISO deems to have had a material impact on the business or reflects a failure in important controls.

Compliance References:

NIST 800-53: IR-06, IR-07

TAC202: 202.73

DIR: IR-6, IR-7

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)

Processes and procedures for vendors that store, process, and / or transmit UT Institution data to report observed or suspected security incidents must be defined and implemented. These processes must be communicated to vendors through defined channels to support timely identification and response, containment, and resolution of security incidents.

Compliance References:

NIST 800-53: IR-06, IR-07

TAC202: 202.73

DIR: IR-6, IR-7

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)

Security incident response plans must be defined, implemented, periodically tested, and communicated, including processes to handle / manage security incidents, the appropriate reporting channels for different events, and roles and responsibilities of individuals involved in incident response.

Compliance References:

NIST 800-53: IR-02, IR-02(03), IR-03, IR-03(02), IR-04, IR-04(01), IR-04(03), IR-04(06), IR-04(09), IR-04(10), IR-05, IR-05(01), IR-06(03), IR-07(01), IR-08, IR-08(01), IR-09

TAC202: 202.73

DIR: IR-2, IR-3, IR-4, IR-5, IR-8, IR-9

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)

Security incident handling procedures that describe the processes to respond to and resolve security incidents based on incident type and categorization must be defined and implemented for the efficient and effective response to security incidents. The ISO is to have unfettered access to all logs and incident related data and must not be dependent on the relevant IT organization for access to those data.

Compliance References:

NIST 800-53: IR-09

TAC202: N/A

DIR: IR-9

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)

Processes to collect evidence and identify lessons learned from security incident response and testing must be defined and implemented, including using knowledge gained to strengthen and improve security incident response capabilities and information security controls, ensuring this knowledge is shared as applicable to UT Institution stakeholders or broader users as deemed necessary depending on the nature of the incident.

Compliance References:

NIST 800-53: IR-04

TAC202: 202.73

DIR: IR-4

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)

Required internal and external reporting and communication requirements for security incidents must be defined, including required timing, and processes must be defined to execute such reporting and communications. External communications must consider communications to law enforcement, regulators, customers, vendors, the public, and others as identified by the Institutions.

Compliance References:

NIST 800-53: IR-04(04), IR-04(08)

TAC202: N/A

DIR: N/A

Supporting Documents:

UTS 165.2.6 Incident Management Standard (UT Credential Required)