Standards listing
Clicking on the links below will jump you to the specific Standard.
- UTS165 Standard 1 . Information Resources Security Responsibilities and Accountability
- UTS165 Standard 2 . Acceptable Use of Information Resources
- UTS165 Standard 3 . Information Security Programs
- UTS165 Standard 4 . Access Management
- UTS165 Standard 5 . Administrative/Special Access Accounts
- UTS165 Standard 6 . Backup and Disaster Recovery
- UTS165 Standard 7 . Change Management
- UTS165 Standard 8 . Malware Prevention
- UTS165 Standard 9 . Data Classification
- UTS165 Standard 10 . Risk Management
- UTS165 Standard 11 . Safeguarding Data
- UTS165 Standard 12 . Security Incident Management
- UTS165 Standard 13 . Use and Protection of Social Security Numbers
- UTS165 Standard 14 . Information Services (IS) Privacy
- UTS165 Standard 15 . Passwords
- UTS165 Standard 16 . Data Center Security
- UTS165 Standard 17 . Security Monitoring
- UTS165 Standard 18 . Security Training
- UTS165 Standard 19 . Server and Device Configuration and Management
- UTS165 Standard 20 . Software Licensing
- UTS165 Standard 21 . System Development and Deployment
- UTS165 Standard 22 . Vendor and Third-Party Controls and Compliance
- UTS165 Standard 23 . Security Control Exceptions
- UTS165 Standard 24 . Disciplinary Actions
UTS165 Standard 1: Information Resources Security Responsibilities and Accountability.
1.1 Designation of Responsibility. All Institutions and any U. T. System governing body having oversight of Information Resources must have designated and documented roles and responsibilities for the information security function.
1.2 Chancellor. The Chancellor shall:
a) designate an individual to serve as U. T. System Chief Information Security Officer (CISO);
b) budget sufficient resources to fund ongoing information security remediation, implementation, and compliance activities that reduce compliance Risk to an acceptable level; and
c) ensure that appropriate corrective and disciplinary action is taken in the event of noncompliance.
1.3 Chief Administrative Officers. The Chief Administrative Officer at each Institution shall:
a) ensure the Institution’s compliance with this Policy and associated Standards;
b) designate an individual to serve as the Institutional Information Security Officer (ISO) who shall:
- serve in the capacity as required by 1 Texas Administrative Code 202.71 (b) with authority for that entire Institution;
- report to the President or to a senior executive, other than the Chief Information Officer or Information Resources Manager, who reports to the President; and
- have a dotted line reporting relationship to the Institution’s Compliance Officer and the U. T. System Chief Information Security Officer;
c) budget sufficient resources to fund ongoing information security remediation, implementation, and compliance activities (e.g., staffing, training, tools, and monitoring activities) that reduce compliance Risk to documented acceptable levels;
d) approve the Institution’s Information Security Program; and
e) ensure appropriate corrective and disciplinary action is taken in the event of noncompliance.
1.4 Information Resources Manager.
The IRM shall:
a) The IRM must be part of the institution’s executive management and report directly to a person with a title functionality equivalent to executive leadership (e.g. President, Provost, Chief Business Officer); [1]
b) implement security controls for the entire institution in accordance with the Institutional Information Security Program developed by the Information Security Officer; and
c) review and approve or disallow the purchase or deployment of all new Information Systems or services (infrastructure, on-premise applications, hosted or cloud services/applications, internet of things (IoT) devices)
d) ensure all assets (e.g., devices, applications, and vendor products) used by the institution are catalogued and maintained in a central inventory;
e) establish visibility (e.g., configuration management) into all assets used by the institution in a manner that does not interfere with the performance of the asset;
f) operationalize an institution-wide system management practice based on the Institutional Information Security Program and corresponding standards for vulnerability management that ensures institutional accountability and report adherence to those standards to senior institution leadership and UT System Administration on a regular basis using a method provided by UT System Administration.
_____________________________
[1] Any person who is designated by the head of the institution of higher education as the information resources manager must be a senior official of the institution. TAC 211 Subchapter C.
1.5 U. T. System Chief Information Security Officer (U. T. System CISO). The U. T. System Chief Information Security Officer shall:
a) provide leadership, strategic direction, and coordination for the U. T. Systemwide Information Security Program including issuing of Policies, Standards, Procedures, and Guidelines;
b) chair and hold meetings of the U. T. System CISO Council at least quarterly;
c) develop and oversee the U. T. Systemwide Information Security Compliance Program;
d) provide guidance relating to Institutional and Common Use Infrastructures Information Security Programs regarding organizational duties and responsibilities, covered activities, authority to act, terminology definitions, standard methodologies, and minimum Standards;
e) define the Risk management process to be used for U. T. System information security Risk management activities, and ensure performance of Risk assessment for systemwide systems that will process or store Confidential Data;
f) explore and recommend the acquisition of cybersecurity tools, resources, and services that can be utilized by multiple U. T. Institutions and for ways to share expertise among Institutions;
g) establish reporting requirements, metrics, and timelines and monitor effectiveness of security strategies at each Institution;
h) apprise the Chancellor, the U. T. System Executive Compliance Committee, and the Board of Regents on the status and effectiveness of the Information Security Compliance Programs;
i) oversee and/or monitor deployment of information security initiatives funded or sponsored through the U. T. System, and manage contracts with service providers;
j) establish processes for assessing information security proposals for U. T. System sponsorship, and oversee procurements; and
k) appoint an Information Security Officer for Common Use Infrastructures.
1.6 Information Security Officer for Common Use Infrastructures. The Information Security Officer for Common Use Infrastructures is responsible for defining, implementing, and managing an Information Security Program encompassing the U. T. System Common Use Infrastructures in accordance with requirements of the U. T. Systemwide Information Security Program and shall:
a) develop and maintain a current and comprehensive Information Security Program, that includes Risk assessment, metrics, action plans, training plans, monitoring plans, and adoption of Policies, Standards, Procedures, and/or Guidelines as needed;
b) coordinate with Institutional Information Security Officers, Information Resource Managers, facilities management, and governance groups to ensure appropriate Policies, Standards, Procedures, and/or Guidelines are established, and responsible parties are assigned;
c) monitor the effectiveness of security controls and submit required reports to the U. T. System Chief Information Security Officer; and
d) serve as a member of the U. T. System Chief Information Security Officer Council, and perform other tasks similar in nature to an Institutional Information Security Officer.
1.7 Institutional Information Security Officer (Institutional ISO). The Institutional Information Security Officer is the individual responsible for an Institution’s Information Security Program and shall:
a) work in partnership with the University community, constituency groups, and leadership to establish effective and secure processes and information systems and to promote information security as a core Institutional value;
b) provide information security oversight for all Centralized and Decentralized IT Information Resources;
c) develop and maintain a current and comprehensive Information Security Program, that includes Risk assessment, action plans, training plans, monitoring plans, and specific Risk mitigation strategies to be used by Owners and Custodians of Mission Critical Information Resources to manage identified Risks;
d) develop Institutional Policies, Standards, Procedures, and/or Guidelines to ensure that the protection of Information Resources is considered during the development or purchase of new computer applications or services;
e) develop or adopt a Data Classification Standard that conforms or maps to UTS165 Standard 9 – Data Classification ;
f) coordinate Risk assessments required by U. T. System to be reported to the U. T. System Executive Compliance Committee or Board of Regents, and ensure that annual information security Risk assessments are performed and documented by Owners of Mission Critical Information Resources and Information Resources containing Confidential Data in accordance with UTS165 Standard 10 – Risk Management ;
g) ensure that each Owner of Mission Critical Information Resources has designated an Information Security Administrator (ISA);
h) establish an Institutional Information Security Working Group composed of ISAs (ISA Working Group) and convene meetings at least quarterly;
i) approve and document any exceptions to information security Policies or Standards, other than UTS165 Standard 2 – Acceptable Use of Information Resources , within the Institution in accordance with UTS165 Standard 23 – Security Control Exceptions ;
j) document and justify, in collaboration with the Owners, exceptions to specific elements of the program required due to circumstances within a specific organizational unit(s) within an Institution, and include such exceptions in the annual report to the Chief Administrative Officer;
k) establish reporting requirements, metrics, and timelines, and monitor effectiveness of security strategies implemented in both Centralized and Decentralized IT;
l) perform, at a minimum, an annual vulnerability assessment of Information Resources maintained in both Centralized and Decentralized IT and track implementation of any remediation required as a result of the assessment;
m) ensure that an annual external network penetration test is performed and track implementation of needed Risk remediation;
n) specify and require use of appropriate security software such as anti-Malware, firewall, configuration management, and other security related software on Computing Devices owned, leased, or under the custody of any department, operating unit, employee, or other individual providing services to the Institution;
o) establish and communicate security configuration requirements and Guidelines;
p) ensure Computing Devices are administered by appropriately trained staff and in accordance with Policies, Standards, and Procedures;
q) review the security requirements, specifications, and third-party Risk assessments of any new computer applications or services that receive, maintain, and/or share Confidential Data;
r) approve security requirements for the purchase of Information Technology hardware, software, and systems development services;
s) ensure all employees receive periodic information security training appropriate to the security role (such as Owner or ISA) if the employee, including high-level information security awareness training as part of each employee’s first-time compliance training;
t) communicate instances of noncompliance to appropriate administrative officers for corrective, restorative, and/or disciplinary action;
u) investigate Security Incidents and inform the Chief Administrative Officer of incidents posing significant Risk to individuals, the Institution, or other organizations;
v) report Significant Information Security Incidents, as defined by the U. T. System Security Incident Reporting Requirement , to the U. T. System CISO;
w) participate in the U. T. System CISO Council meetings, workgroups, and related activities;
x) report to the U. T. System CISO in accordance with Program reporting guidance and metrics;
y) provide updates to the Institutional Compliance Committee regarding information security Risks and issues; and
z) provide a report, at least annually, to the Chief Administrative Officer with copies to the Institution’s Chief Information Officer and Compliance Officer and the U.T. System CISO on the status and effectiveness of Information Resources security controls for the whole Institution in accordance with reporting instructions provided by the U. T. System Chief Information Security Officer.
1.8 Department Heads and Lead Researchers. Department Heads and Lead Researchers at each Institution shall classify and appropriately secure Data under their control including Data held in relation to subcontracts for projects in which the prime award is at another Institution or agency.
1.9 Information Resources Owners. For Information Resources and Data under their authority, Owners shall:
a) grant access to Information Systems and Data;
b) control and monitor access to Data based on Data sensitivity and Risk;
c) classify Data based on the Institution’s Data Classification Standard;
d) conduct Risk assessments that identify the Information Resources under their authority and the level of Risk associated with the Information Resources and the vulnerabilities, if any, to the Institution’s information security environment;
e) define, recommend, and document acceptable Risk levels for Information Resources and Risk mitigation strategies;
f) document and justify, in collaboration with the ISO, any exceptions to specific program requirements due to extenuating circumstances within the Owner’s area of responsibility;
g) ensure that Data is securely backed up in accordance with Risk management decisions;
h) ensure that Data is maintained in accordance with the applicable University records retention schedule and Procedures;
i) provide documented permission and justification for any User who is to store Confidential University Data on a Portable Computing Device or a Non-University Owned Computing Device;
j) ensure that High Risk Computing Devices and Confidential Data are encrypted in accordance with requirements specified in UTS165 Standard 11 - Safeguarding Data ;
k) ensure that Information Resources under their authority are administered by qualified Information Resources Custodians;
l) ensure that a Risk assessment is performed prior to purchase of any software that has not been previously assessed by the Institution for use under similar circumstances;
m) ensure that a third-party Risk assessment is performed prior to purchase of Vendor services that involve hosting or accessing University Data; and
n) ensure that contracts involving products or services that impact Information Resources contain information security language appropriate to the Risk.
1.10 Owner of Mission Critical Information Resources. For Information Resources under the Owner’s authority, the Owner shall:
a) designate an individual to serve as an Information Security Administrator (ISA) to implement information security Policies and Procedures and to report incidents to the ISO;
b) provide for appropriate training for ISAs to ensure effective security Practices;
c) perform an annual information security Risk assessment that identifies Information Resources, levels of associated Risk, and any vulnerabilities to those Information Resources;
d) define, recommend, and document acceptable Risk levels for Information Resources and Risk mitigation strategies as needed; and
e) adopt a disaster recovery plan for Information Resources and ensure testing is performed in accordance with the requirements of UTS165 Standard 6 - Backup and Disaster Recovery .
1.11 Information Resources Custodians. Information Resources Custodians shall:
a) implement approved Risk mitigation strategies and adhere to information security Policies and Procedures to manage Risk levels for Information Resources under their care;
b) implement monitoring controls for detecting and reporting incidents;
c) control and monitor access to Information Resources under the Custodian’s care based on sensitivity and Risk;
d) implement and adhere to approved Institutional Change Management processes to ensure secure, reliable, and stable operations;
e) encrypt High Risk Computing Devices and Confidential Data in accordance with requirements specified in UTS165 Standard 11 - Safeguarding Data ;
f) provide appropriate technical training to employees providing Information Technology, security, help-desk, or technical support for Information Resources under their responsibility; and
g) ensure that technical staff under their authority are qualified to perform their assigned duties.
1.12 Information Security Administrator. Information Security Administrators shall:
a) implement and comply with all IT Policies and Procedures relating to assigned Information Systems;
b) assist Owners in performing annual information security Risk assessments;
c) report general computing and Security Incidents to the Institutional ISO;
d) as a member of the ISA Work Group, assist the Institutional ISO in developing, implementing, and monitoring the Information Security Program, and in establishing reporting guidance, metrics, and timelines for the ISO to monitor effectiveness of security strategies; and
e) report at least annually to the Institutional ISO about the status and effectiveness of Information Resources security controls.
1.13 Institutional Offices with Designated Responsibility for Account Management . Each office within the Institution responsible for account management shall manage accounts in accordance with this UTS 165 and all other applicable U. T. System and Institutional information security Policies, Standards, and Procedures.
1.14 Institutional Office Designated with Responsibility for Network Infrastructure . Each office so designated shall be responsible for:
a) configuring and managing network resources in accordance with this UTS 165 and all other applicable U. T. System and Institutional information security Policies, Standards, and Procedures;
b) segmenting the Institutional network physically or logically to reduce the scope of potential exposure of Information Resources in the event of a Security Incident;
c) separating Internet facing applications from internal applications;
d) maintaining appropriate access to the Network Infrastructure in accordance with this UTS 165 and all other applicable U. T. System and Institutional information security Policies, Standards, and Procedures;
e) managing, testing, and updating operating systems and applications for network equipment for which it is responsible; and
f) approving all access methods, installation of all network hardware connected to the local-area network and methods and requirements for attachment of any Non-U. T. System Owned Computer Systems or Devices to the U. T. System network.
1.15 Institutional Office Charged with Supporting Information Resources. The offices so designated shall be responsible for:
a) formalizing best Practice Change Management processes into Practice Standards;
b) requiring compliance from all individuals who manage Information Systems or applications; and
c) providing support, guidance, and problem resolution to Owners, including Department Heads and Lead Researchers, and Users with respect to this Policy and applicable Standards, Policies, and Procedures.
1.16 Users.
a) All Users must comply with this U. T. System Policy for Use and Security of Information Resources (UTS165). Users who fail to comply are subject to disciplinary action in accordance with UTS165 Standard 24 – Disciplinary Actions .
b) All Users who are University employees, including student employees, or who are otherwise serving as an agent or are working on behalf of the University, must formally acknowledge and comply with the Institution’s Acceptable Use Policy as directed in UTS165 Standard 2 – Acceptable Use of Information Resources .
UTS165 Standard 2: Acceptable Use of Information Resources.
2.1 Acceptable Use Policy Requirement . All Institutions must adopt and incorporate for all purposes the U. T. System model Acceptable Use Policy that follows.
The University of Texas __________________ INFORMATION RESOURCES ACCEPTABLE USE AND SECURITY POLICY AGREEMENTAll individuals granted access to or use of System Information Resources must be aware of and agree to abide by the following acceptable use requirements: |
|
Definitions |
|
General |
|
Confidentiality & Security of Data |
|
|
|
Incidental Use of Information Resources |
|
Additional Requirements for Portable and Remote Computing |
|
Password Management |
|
User AcknowledgmentI acknowledge that I have received and read the Information Resources Acceptable Use Policy. I understand and agree that my use of University Information Resources is conditioned upon my agreement to comply with the Policy and that my failure to comply with this Policy may result in disciplinary action up to and including termination of my employment. Signature: _______________________________ Date_____________ Print Name:______________________________ |
2.2 Any deviations in an Institution’s Acceptable Use Policy from the U. T. System model Acceptable Use Policy must be reviewed and approved by the U. T. System Office of General Counsel.
2.3 The Acceptable Use Policy must address the following User responsibilities and behaviors:
a) Ownership of U. T. System and the Institution’s Information Resources and Data, including Data maintained or created on a User’s personal devices;
b) Incidental use of Information Resources, including impact of placement of personal Data on the Institution’s Information Resources;
c) User’s expectations with regard to the privacy of information stored or created on U. T. System’s and the Institution’s Information Resources; and
d) User’s responsibilities with respect to maintaining the security, integrity, and, as applicable, confidentiality of U. T. System’s and the Institution’s Information Resources.
2.4 Each Institution is responsible for ensuring that each User who is employed by the University or who provides services to or on behalf of the University acknowledges awareness of the existence of and the User’s responsibility for complying with the Institution’s Acceptable Use Policy.
UTS165 Standard 3: Information Security Programs.
3.1 Information Security Program Requirement. Each Institution and any governing body with oversight for Common Use Infrastructures must establish and maintain a Security Program that includes appropriate protections, based on risk, for all Information Resources including outsourced resources, owned, leased, or under the custodianship of any governing body or department, operating unit, or employee of the Institution.
3.2 Information Security Program. Each Security Program must include and document the following:
a) annual risk assessment;
b) current inventory of
- institution-owned or managed computing devices deployed throughout the institution, and
- Mission-Critical applications and applications containing Confidential Data;
c) strategies to address identified risks to Mission Critical Information Resources and Confidential Data;
d) annual action plan, training plan, and monitoring plan; and
e) metrics, reports, and timelines established by the U. T. System Office of Information Security.
3.3 Collection of Information Security Metrics. Each Institution must collect required metrics data in ways that are documented and verifiable.
3.4 Information Security Program Exceptions. The Owner of the Information Resource and the ISO must document and justify any exceptions to specific program requirements in accordance with requirements and processes defined in UTS165 Standard 23 – Security Control Exceptions.
UTS165 Standard 4: Access Management.
4.1 Access Management Requirement.
a) All Institutions must adopt Access Management processes to ensure that access to Information Resources is restricted to authorized Users.
b) All Institutional offices or departments that create access accounts for networks or applications must manage the accounts in accordance with defined processes and the requirements of the U. T. System Identity Management Federation Member Operating Practices (MOP) .
4.2 Access Management Process : An Access Management Process must incorporate Procedures for:
a) assigning a unique identifier for each applicant, student, employee, insured dependent, research subject, patient, alumnus, donor, contractor, and other individuals, as applicable, at the earliest possible point of contact between the individual and the Institution;
b) creating uniquely identifiable accounts for all Users. This includes accounts created for use by Vendors ( see Standard 22 );
c) disabling all generic and default accounts;
d) reviewing, removing and/or disabling accounts at least quarterly, or more often if warranted by Risk, to reflect current User needs or changes of User role or employment status;
e) expiring Passwords or disabling accounts based on Risk; and
f) managing access from wired and wireless devices, and from Remote Locations.
4.3 Remote and Wireless Access . Remote and wireless Access to U. T. System Network Infrastructure must be managed to preserve the Integrity, availability, and confidentiality of U. T. System Information. Remote and Wireless Access Policies and Procedures must:
a) establish and communicate to Users the roles and conditions under which Remote or wireless Access to Information Resources containing Confidential Data is permitted;
b) require the use of secure and encrypted connections when accessing Information Resources containing Confidential Data across the Internet, or across open segments of the Institution network or wireless network (e.g., use of VPN for access, SFTP for transfers, encrypted wireless); and
c) require monitoring for, identifying, and disabling of unauthorized (i.e., rogue) wireless access points.
4.4 Access to Institutional Networks. Through appropriate use of administrative, physical, and technical controls, the Institutional office or offices charged with maintaining the Network Infrastructure at each Institution are required to establish processes for approval of all network hardware connected to the Institutional or the U. T. System network and the methods and requirements for attachment, including any Non-U. T. System Owned Computer Systems or Devices, to ensure that such access does not compromise the operations and reliability of the network, or compromise the Integrity or use of Information contained within the network.
4.5 Data Access Control Requirement. All Owners and Custodians must control and monitor access to Data within their scope of responsibility based on Data sensitivity and Risk, and through use of appropriate administrative, physical, and technical safeguards including the following:
a) Owners must limit access to records containing Confidential Data to those employees who need access for the performance of the employees' job responsibilities. An employee may not access Confidential Data if it is not necessary and relevant to the employee’s job function.
b) Owners and Custodians must monitor access to records containing Confidential Data by the use of appropriate measures as determined by applicable Policies, Standards, Procedures, and regulatory requirements.
c) Owners and Custodians must establish log capture and review processes based on Risk and applicable Policies, Standards, Procedures, and regulatory requirements. Such processes must define:
- the Data elements to be captured in logs;
- the time interval for custodial review of the logs; and
- the appropriate retention period for logs.
d) Employees may not disclose Confidential Data to unauthorized persons or Institutions except:
- as required or permitted by law, and, if required, with the consent of the Data Owner;
- where the third-party is the agent or contractor for the Institution and the safeguards described in Standard 4.6 are in place to prevent unauthorized distribution; or
- as approved by the Institution’s legal office or the Office of General Counsel.
4.6 Access for Third-Parties. If an Institution intends to provide University Data to a third-party acting as an agent of or otherwise on behalf of that Institution (example: an application service provider) a written agreement with the third-party is required.
a) Such third-party agreements must specify:
- the Data authorized to be accessed;
- the circumstances under and purposes for which the Data may be used; and
- that all Data must be returned to the Institution, or destroyed, in a manner specified by the Institution upon end of the third-party engagement.
b) If the Institution determines that its provision of Data to a third-party will result in significant Risk to the confidentiality, Integrity, or availability of such Data, the agreement must specify terms and conditions, including appropriate administrative, physical, and technical safeguards for protecting the Data.
4.7 Two-factor Authentication Requirements. Effective August 31, 2015, Two-factor Authentication is required in the following situations:
a) when an employee or other individual providing services on behalf of the University (such as a student employee, contractor, or volunteer) logs on to a University network using an enterprise Remote Access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services;
b) when an individual described in (a) who is working from a Remote Location uses an online function such as a web page to access or modify employee banking, tax, or financial information; (change to be effective 12/31/2017)
c) when a Server administrator or other individual working from a Remote Location uses administrator credentials to access a Server that contains or has access to Confidential University Data.
d) when an individual described in (a) who is working from a Remote Location accesses a web-based interface to University email. (change to be effective 11/9/2018). At the discretion of the institution’s CISO, student employees may be exempted from this requirement
e) requests to other exceptions to this policy may be submitted to the Chief Information Security Officer of the U. T. System.
UTS165 Standard 5: Administrative/Special Access Accounts.
Each Institution must adopt Institutional Standards and/or Procedures to ensure that all administrative/special access accounts with elevated access privileges on computers, network devices, or other critical equipment (example: accounts used by system administrators and network managers) are used only for their intended administrative purpose and to ensure that all authorized Users are made aware of the responsibilities associated with use of privileged special access accounts. These Procedures must address:
a) acceptable use of administrative/special access accounts and intended administrative purposes;
b) authorization required for use of administrative/special access accounts;
c) the need to review, remove, and/or disable administrative/special access accounts at least annually, or more often if warranted by Risk, to reflect current authorized User needs or Changes of User role or employment, or other status conferring access; and
d) the need to escrow login Passwords for each secured system for access during emergencies. Individual User login Passwords shall not be escrowed.
UTS165 Standard 6: Backup and Disaster Recovery.
6.1 Backup Plan Requirement . All U. T. System Data, including Data associated with research, must be backed up in accordance with Risk management decisions implemented by the Data Owner. Each Institution’s Backup plan must incorporate Procedures for:
a) recovering Data and applications in case of events such as natural disasters, system disk drive failures, espionage, Data entry errors, human error, or system operations errors;
b) assigning operational responsibility for backing up of all Servers;
c) scheduling Data Backups and establishing requirements for off-site storage;
d) securing on-site/off-site storage and Media in transit; and
e) testing Backup and recovery Procedures.
6.2 Disaster Recovery Plan. Owners of Mission Critical Information Resources and of Information Resources containing Confidential Data must adopt a disaster recovery plan commensurate with the Risk and value of the Information Resource and Data. The disaster recovery plan must incorporate Procedures for:
a) recovering Data and applications in the case of events that deny access to Information Resources for an extended period (e.g., natural disasters, terrorism);
b) assigning operational responsibility for recovery tasks and communicating step-by-step implementation instructions;
c) testing the disaster recovery plan and Procedures every two years at minimum; and
d) making the disaster recovery plan available to the Institutional ISO and other stakeholders.
UTS165 Standard 7: Change Management.
7.1 Change Management Requirement. All Institutions must adopt Change Management processes to ensure secure, reliable, and stable operations to which all offices that support Mission Critical Information Resources or Network Infrastructures are required to adhere. The Change Management process must incorporate Procedures for:
a) formal identification, classification, prioritization, and request of Scheduled Changes;
b) identification and deployment of Emergency Changes;
c) assessment of potential impacts of changes, including the impact on Data classification, Risk assessment, and other security requirements;
d) authorization of changes and exceptions;
e) testing changes;
f) change implementation and back-out planning; and
g) documentation and tracking of changes.
7.2 Information Resources Custodians. All Custodians must implement and adhere to approved institutional Change Management processes to ensure secure, reliable, and stable operations.
UTS165 Standard 8: Malware Prevention.
8.1 Protecting U. T. System Infrastructure. U. T. System’s Network Infrastructure and other Information Resources must be continuously protected from threats posed by Malware.
8.2 All computing devices owned, leased, or under the control of U. T. System Institutions must implement and keep reasonably current with technology innovations for malware detection and response and adhere to any other protective measures as required by applicable Policies and Procedures.
8.3 Personally Owned Computing Devices Institution policies must clearly define appropriate use of personally owned computing devices that connect to the institution’s Network Infrastructure or other Information Resources
a) Any personally owned Computing Device that contains Confidential University Data must be configured to comply with required University security controls while holding such Data.
b) Any personally owned Computing Device that connects to a University network must be configured to comply with required University security controls while connected to such network.
UTS165 Standard 9: Data Classification.
9.1 Data Classification Standard. Each Institution within the U. T. System shall establish an Institutional Data Classification Standard that conforms to or maps to the U. T. System Data Classification Standard defined in 9.5 of this Standard.
9.2 Data Discovery. Institutional ISOs must develop a plan for identifying Digital Data maintained in both Centralized and Decentralized IT.
9.3 Classification Responsibility. Owners of Information Resources within the Institution must classify Data based on the Institutional Data Classification Standard.
9.4 The U. T. System Data Classification Standard is to be used to assess Data confidentiality, Integrity, and availability requirements for Data to be stored or processed within U. T. System Common Use Infrastructures.
9.5 The University of Texas System Data Classification Standard consists of three mutually exclusive Data classifications based on fit within a spectrum indicating the degree to which access to the Data must be restricted and Data Integrity and availability must be preserved. The three classifications are as follows:
Data Classification and Description |
Examples |
Comments |
Confidential Information / DataInformation (or Data) is classified as Confidential if it must be protected from unauthorized disclosure or public release based on State or Federal law or regulation, and by applicable legal agreement to the extent permitted by law. |
Patient billing Information and Protected Health Information subject to HIPAA or applicable state law. Student education records subject to FERPA. A credit card number associated with an individual’s name. A social security number. Medical Research Data that contains protected health information. Certain student loan Information subject to the Gramm Leach Bliley Act. |
Information (Data) cannot simply be declared to be “Confidential.” This classification is reserved for Information that is protected from public release based on State or Federal law, or a legally binding order or agreement. Likewise, Data cannot be declared to be “Confidential” under all circumstances. Context is an essential element. (In relation to the Federal Standards for Security Categorization of Federal Information and Information Systems , FIPS 199, this category equates to HIGH IMPACT for a Confidentiality, Integrity, and Availability breach) |
Controlled Information / DataThe Controlled classification applies to Information/Data that is not generally created for or made available for public consumption, but may be subject to release to the public through request via the Texas Public Information Act or similar State or Federal law. |
Operational records, operational statistics, employee salaries, budgets, expenditures. Internal communications that do not contain Confidential Information. Research Data that has not yet been published, but which does not contain Confidential Information protected by law. |
This classification likely encompasses the greatest volume of Data within the University. (In terms of FIPS 199, this category equates to MODERATE IMPACT for a Confidentiality, Integrity, and Availability breach) |
Published Information / DataPublished Information/Data includes all Data made available to the public through posting to public websites, distribution through Email, Social Media, print publications, or other Media. |
Statistical reports, Fast Facts, Published Research, unrestricted directory Information, educational content available to the public at no cost. |
Information can migrate from one classification to another based on Information life-cycle. Unpublished Research may fit the criteria of “Controlled Information” until published upon which it would become Published Information. (In terms of FIPS 199, this category equates to LOW IMPACT for a Confidentiality, Integrity, and Availability breach.) |
UTS165 Standard 10: Risk Management.
10.1 Each Institution must maintain an accurate inventory of Information Resources and identify Owners.
10.2 Information Resources Owners. For Information Resources under the Owners’ authority, Owners must:
a) in consultation with the Institutional Information Security Officer, define, approve, and document acceptable Risk levels and Risk mitigation strategies; and
b) conduct and document Risk assessments to determine Risk and the Inherent Impact that could result from their unauthorized access, use, disclosure, disruption, modification, or destruction. Timing of assessments shall be:
- annually for all Mission Critical Information Resources and Information Resources containing Confidential Data; and
- at periodic time intervals to be defined by the Resource Owner in consultation with the Institutional Information Security Officer for non-Mission Critical Information Resources and Information Resources not containing Confidential Data.
10.3 Information Resources Custodians. Custodians of Mission Critical Information Resources must implement approved Risk mitigation strategies and adhere to Information Security Policies and Procedures to manage Risk levels for Information Resources under their care.
10.4 Institutional Information Security Officer. Institutional ISOs must ensure that annual Information Security Risk assessments are performed and documented by each Owner of Mission Critical Information Resources or Information Resources containing Confidential Data.
10.5 Sponsored Projects. Principal Investigators must perform reviews, in collaboration with the Institutional ISO, of the implementation of required security controls (i.e. control objectives, controls, Policies, processes, and Procedures for Information security) for sponsored projects under their authority. Assessments for sponsored projects must be performed annually based on Risk.
10.6 Risk Assessment of Third-party Service Providers. A third-party Risk assessment is required in the following situations:
a) when purchasing services that result in exchange of University Data or hosting of University Information Systems with a Vendor or other organization; or
b) when purchasing systems or software, whether it is to be hosted on premises or at a Vendor facility, if Confidential University Data will be stored within or processed by the system or software.
10.7 U. T. System Information Security Risk Assessment Framework and Assessments. Information Security Risk Assessments that are to be aggregated for systemwide reporting to the U. T. System Executive Compliance Committee and/or the U. T. System Board of Regents shall be conducted using a risk management framework and process defined by U. T. System Office of Information Security and shall be coordinated at the Institutional level by the Institutional ISO.
10.8 Risk Acceptance. Decisions relating to acceptance of Risk must be documented and are to be made by:
a) the Information Resource Owner, in consultation with the Institutional Information Security Officer or designee, for resources having a residual Risk of Low or Moderate.
b) the Chief Administrative Officer, or designee, considering recommendations of the Owner and Institutional Information Security Officer, for resources having a residual Risk of High.
UTS165 Standard 11: Safeguarding Data.
11.1 Protection Requirement. Each Institution’s Policies, Standards, and/or Procedures must describe and require steps to protect University Data using appropriate administrative, physical, and technical controls in accordance with the Institutional Information Security Program and Data Classification Standard, and UTS165 and its associated Standards.
11.2 Non-University Third-Party Storage Services. University Data must not be stored on personally procured third-party (e.g. Cloud) storage services.
11.3 Password and Encryption Protection for Computing Devices and Data.
a) Desktop Computers.
- All High Risk Desktop Computers owned, leased, or controlled by the University must be Password protected and encrypted using methods approved by the Institution’s Information Security Officer.
- All desktop computers purchased after September 1, 2013 must be Password protected and encrypted using methods approved by the Institution’s Information Security Officer before their deployment.
b) Laptop Computers and Other Mobile Devices.
- All laptop computers and other mobile devices, including but not limited to mobile and smart phones, and tablet computers that are owned, leased, or controlled by the University, must be encrypted using methods approved by the Institution’s Information Security Officer.
- USB thumb drives and similar removable storage devices owned, leased, or controlled by the University must be encrypted before storage of any Confidential University Data on the device.
c) Personally Owned Devices. All personally owned computers, mobile devices, USB thumb drives, or similar devices must be Password protected and encrypted using methods approved by the Institution’s Information Security Officer if they contain any of the following types of University Data:
- Information made confidential by Federal or State law, regulation, or other legally binding order or agreement;
- Federal, State, University, or privately sponsored Research that requires confidentiality or is deemed sensitive by the funding entity; or
- any other Information that has been deemed by the U. T. System or a U. T. System Institution as essential to the mission or operations of System to the extent that its Integrity and security should be maintained at all times.
11.4 Assured Access to Encrypted Data.
a) For University owned, leased, or controlled devices, the Institution must use processes to ensure an ability to access encrypted Data in the event that an encryption key becomes corrupted.
b) For personally owned devices, the device owner is responsible for ensuring that encrypted Data is backed up to University owned or sanctioned storage using processes prescribed by the Institution.
11.5 Protecting Data in Transit. All Institutions shall adopt Policies, Standards, and/or Procedures and implement appropriate administrative, physical, and technical safeguards necessary to adequately protect the security of Data during transport and electronic transmissions. Each of the following shall be addressed:
a) identification and transmission of the least amount of Confidential Data required to achieve the intended business objective;
b) encryption of all Confidential Data transmitted over the Internet;
c) encryption of all Confidential Data transmitted between Institutions and Shared Data Centers; and
d) deletion of transmitted and received Confidential Data upon completion of the intended business objective.
11.6 Protecting Common Use Information Resources.
a) The ISO for Common Use Infrastructures is responsible for implementation of an Information Security Program for Common Use Infrastructures, and for documenting associated roles and responsibilities.
b) For services provided via Common Use Infrastructures, Memorandum of Understanding (MOU) documents between U. T. System and host Institutions, and between U. T. System and participant Institutions must identify roles and responsibilities for provision of Information security controls.
11.7 Discarding Electronic Media. Institutions must discard Electronic Devices and Media containing University Data:
a) in a manner that adequately protects the confidentiality of the Data and renders it unrecoverable, such as overwriting or modifying the Electronic Media to make it unreadable or indecipherable or otherwise physically destroying the Electronic Media; and
b) in accordance with the applicable institutional records retention schedule.
11.8. Vetting Online and Mobile Applications that Process Confidential Information.
As required by Section 2054.517 of the Texas Government Code, each institution shall adopt and implement a policy for Internet website and mobile application security procedures that complies with this Standard. The institutional ISO is responsible for developing and implementing the policy and procedures in conjunction with the institution’s legal office (or, if no legal office exists, the UT System Office of General Counsel), Privacy Officer, and other officials responsible for compliance with privacy laws (including HIPAA and FERPA) and data security laws. The policy and procedures should consider business processes such as contracting, acceptance testing, and system deployment, etc.
a) Before deploying an Internet website or mobile application that processes confidential information for an institution of higher education, the developer of the website or application for the institution must submit to the Institutional ISO the information required under policies adopted by the institution to protect the privacy of individuals by preserving the confidentiality of information processed by the website or application. At a minimum, the institution's policies must require the developer to submit information describing:
- the architecture of the website or application;
- the authentication mechanism for the website or application; and
- the administrator level access to data included in the website or application.
b) Before deploying an Internet website or mobile application described by Subsection (a), an institution must subject the website or application to a vulnerability and penetration test conducted internally or by an independent third party. Review and acceptance of the findings shall comply with UTS 165 Standard 10.8.
c) Each institution shall submit to the Texas Department of Information Resources the policies adopted as required by Subsection The Institutional ISO is responsible for ultimate content of the policy.
UTS165 Standard 12: Security Incident Management.
12.1 Reporting Requirements. Security Incidents will be reported as required by State and Federal law and University Policy including the U. T. System Information Security Incident Reporting Requirements.
12.2 Incident Management Procedures. All Institutions must adopt Incident Management Procedures to ensure that each Security Incident is reported, documented, and resolved in a manner that meets legal requirements and restores operations quickly. Incident Management must incorporate Procedures for:
a) formally identifying, classifying, and reporting Security Incidents;
b) responding to Security Incidents;
c) assessing potential damage of Security Incidents;
d) gathering and preserving physical and electronic evidence;
e) assigning responsibility for gathering, maintaining, and reporting detailed Information regarding Security Incidents of local and U. T. Systemwide significance; for actions taken to remediate; and for documentation of a management action plan to prevent a recurrence;
f) notifying appropriate Institutional and U. T. System officials, residents of Texas, Data Owners, Federal and State agencies, and consumer reporting agencies as required by applicable State and Federal law and U. T. System Policy;
g) determining and adhering to timing requirements for incident disclosure and notification; and
h) determining and adhering to an appropriate medium to provide notice based on incident significance, number of individuals adversely impacted, University Policy, applicable Federal and State law and regulations, and any contractual obligations with third-party organizations.
12.3 Employee Reporting. All employees must promptly report unauthorized or inappropriate disclosure of Confidential Data, in digital, paper, or any other format, to their supervisors and the Institutional Information Security Office.
12.4 Reporting to the Institutional Information Security Officer. Information Resources Owners, Custodians, and any supervisor or manager who becomes aware of a Security Incident is to report the incident to the Institutional Information Security Officer.
12.5 Reporting Requirements to U. T. System.
a) Notification of a Significant Attack.
Institutional ISOs or their designees must notify the U. T. System CISO, or the Assistant CISO for Systemwide Services as soon as practical but no later than 12 hours after detecting a Significant Attack. Notification must not wait for confirmation or validation of the detected event, but should include indication of the confidence level by the submitting institution.
A Significant Attack is defined as
- evidence of unauthorized third-party activity within an institution’s network, and includes, but is not limited to:
a. malware that is spreading;
b. ransomware;
c. nation-state activity inside an institution’s network; or
d. any equivalent activity of similar severity.
2. An extortion demand.
b) Sharing Technical Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) during a Significant Attack.
Information sharing about technical details of a Significant Attack is valuable to help other U. T. institutions improve their defense and detection capabilities and ensure that they do not suffer the same method of attack.
After the initial notification described in (a), Institutional ISOs or their designees must provide IOCs and TTPs to the U. T. System CISO or the Assistant CISO for Systemwide Services within 6 hours of identification of the information.. At its discretion, U. T. System may provide the information to other U. T. institutions.
IOCs include, but are not limited to:
- hash values;
- IP addresses; and
- malware types and/or signatures, domains used by an attacker;
TTPs include, but are not limited to:
- methods of obtaining credentials with escalated privileges;
- establishing back doors;
- exfiltrating data;
- other means of persistence within a system or network; and
- attack vectors such as;
a. unknown;
b. brute force;
c. web;
d. email/phishing;
e. external removable media;
f. impersonation spoofing;
g. improper usage; and
h. loss or theft of equipment.
Institutions that receive IOCs and TTPs must treat the information as highly confidential and share it only on a need-to-know basis to protect the receiving Institution. Questions about the incident, IoCs, or TTPs should be directed to U. T. System.
c) Reporting Significant Security Incidents.
ISOs must report Significant Security Incidents in the Incident Reporting System within one week of the onset or discovery of the incident.
Significant Security Incidents include, but are not limited to, incidents that involve:
- Disruption to business operations (partial or total service disruption in one or more lines of business for more than 1 day);
- Suspension or termination of a network connection to a third party in order to avoid potential contagion;
- Unauthorized disclosure of University Confidential or Controlled Data;
- Theft of intellectual property by internal or external actors;
- Loss of an unencrypted device thought to have Confidential or Controlled data;
- A crime, or that trigger external reporting or disclosure obligations, or that create regulatory consequences;
- Potential coverage by media, including any online media; or
- Likely reputational harm to the institution or the U. T. System.
12.6 Monitoring Techniques and Procedures. Custodians must implement monitoring controls and Procedures for detecting, reporting, and investigating incidents.
UTS165 Standard 13: Use and Protection of Social Security Numbers.
U. T. System recognizes the special Risks associated with the collection, use, and disclosure of all or part of a social security number. Accordingly, the requirements of this Standard apply to all or part of a social security number contained in any medium, including paper records, that are collected, maintained, used, or disclosed by any Institution except UTIMCO.
13.1 All Institutions shall reduce the use and collection of social security numbers.
a) All Institutions shall discontinue the use of all or part of the social security number as an individual's primary identification number unless required or permitted by law. The social security number may be stored as a confidential attribute associated with an individual only if use of the social security number is essential for the performance of a mission related duty.
b) If the maintenance and use of social security numbers is permitted, but not required by applicable law, the Institution shall permit the maintenance and use of social security numbers only as reasonably necessary for the proper administration or accomplishment of their respective business, governmental, educational and medical purposes and only if the Institution determines that the necessity outweighs the potential Risk created by the particular maintenance or use of the social security number. Potential purpose may include:
- use as a means of identifying an individual for whom a unique identification number is not known;
- use for internal verification or administrative purposes where it is not feasible to use some other identifier; and
- use for verification or administrative purposes by a third-party or its agent in conducting the Institution’s business on behalf of the Institution where the third-party or agent has contracted to comply with the safeguards described in UTS165 Standard 11 - Safeguarding Data .
c) Except in those instances in which an Institution is legally required to collect a social security number, an individual shall not be required to disclose all or part of his or her social security number, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her social security number. An individual, however, may volunteer his or her social security number. An Institution’s request that an individual provide his or her social security number for verification of the individual's identity where the social security number has already been disclosed does not constitute a disclosure for purposes of this Standard. Questions about whether a particular use is required by law should be directed to the local Information Security Officer who will consult with the Office of General Counsel with respect to the interpretation of law.
d) An Institution may, but is not required to, designate only selected offices and positions as authorized to request that an individual disclose his or her social security number.
e) All Institutions shall assign a unique identifier for each applicant, student, employee, insured dependent, research subject, patient, alumnus, donor, contractor, and other individuals, as applicable, at the earliest possible point of contact between the individual and the Institution for use in lieu of a social security number.
f) The unique identifier shall be used in all electronic and paper Information Systems to identify, track, and serve these individuals. The unique identifier shall:
- be a component of a system that provides a mechanism for the public identification of individuals;
- be permanent and unique within the Institution as applicable, and remain the property of, and subject to the rules of, that Institution; and
- not be derived from the social security number of the individual; or, in the alternative, if the unique identifier is derived from the social security number, it must be computationally infeasible to ascertain the social security number from the corresponding unique identifier.
g) All services and Information Systems shall rely on the identification services provided by the unique identifier system.
13.2 All Institutions shall provide notice to individuals when they collect social security numbers.
a) Each time an Institution requests that an individual initially disclose his or her social security number, it shall provide the notice required by Section 7 of the Federal Privacy Act of 1974 (5 U.S.C. § 552a) , which requires that the individual be informed whether the disclosure is mandatory or voluntary, by what statutory or other authority the number is solicited, and what uses will be made of it. A subsequent request for production of a social security number for verification purposes does not require the provision of another notice.
- The notice shall use the applicable text from Preapproved Sample Disclosures or such other text as may be approved by the Institution’s legal office or Office of General Counsel.
- Notices shall be in writing if possible. If a verbal notice is required, such notice shall be promptly documented.
b) In addition to the notice required by the Federal Privacy Act, when the social security number is collected by means of a form completed and filed by the individual, whether the form is printed or electronic, the notice as required by Section 559.003 of the Texas Government Code must also be provided. That section requires that the agency state on the paper form or prominently post on the Internet site in connection with the form that: with few exceptions, the individual is entitled on request to be informed about the Information that is collected about the individual; under Sections 552.021 and 552.023 of the Government Code , the individual is entitled to receive and review the Information; and under Section 559.004 of the Government Code , the individual is entitled to have the incorrect Information about the individual corrected.
c) Employees may not seek out or use social security numbers relating to others for their own interest or advantage.
d) All Institutions shall eliminate the public display of social security numbers.
- Grades may not be publicly posted or displayed in a manner in which all or any portion of either the social security number or the unique identifier identifies the individual associated with the Information.
- Social security numbers shall not be displayed on documents that are accessible to individuals who do not have a business reason to access the numbers. This section does not prohibit the inclusion of the social security number on transcripts or on materials for Federal or State Data reporting requirements.
- If an Institution must send materials containing social security numbers through the mail, the social security number must be placed in an envelope in such a way that ensures that no part of the social security number is visible from the outside.
- The Institution shall prohibit employees from sending social security numbers over the Internet or by email unless the connection is secure or the social security number is encrypted or otherwise secured. The Institution shall require employees sending social security numbers by fax to take appropriate measures to protect the confidentiality of the fax (such measures may include confirming with the recipient that the recipient is monitoring the fax machine).
- The Institution shall not print or permit a third-party acting on behalf of the Institution to require that an individual's social security number be printed on a card or other device required to access a product or service provided by, on behalf of, or through the Institution.
13.3 All Information Systems acquired or developed must comply with the following:
a) the Information System must use the social security number only as a Data element or alternate key to a database and not as a primary key to a database;
b) the Information System must not display social security numbers visually (such as on monitors, printed forms, system outputs) unless required or permitted by law or permitted by this Standard;
c) name and directory systems must be capable of being indexed or keyed on the unique identifier, once it is assigned, and not on the social security number; and
d) for those databases that require social security numbers, the databases may automatically cross-reference between the social security number and other Information through the use of conversion tables within the Information System or other technical mechanisms.
UTS165 Standard 14: Information Services (IS) Privacy.
Users who are University employees, including student employees, or who are otherwise serving as an agent or are working on behalf of the University have no expectation of privacy regarding any University Data they create, send, receive, or store on University-owned computers, Servers, or other Information Resources owned by, or held on behalf of, the University. The University may access and monitor its Information Resources for any purpose consistent with the University’s duties and/or mission without notice.
UTS165 Standard 15: Passwords.
15.1 Procedures . In order to preserve the security of U. T. System Information Resources and Data, Strong Passwords must be used to control access to Information Resources. All Passwords must be constructed, implemented, and maintained according to the requirements of the U. T. System Identity Management Federation Member Operating Practices (MOP) and applicable Policies, Standards, and/or Procedures governing Password management. Institutional Policies, Standards, and/or Procedures must incorporate processes for:
a) ensuring User identity when issuing or resetting a Password;
b) establishing and enforcing Password strength;
c) changing Passwords;
d) managing security tokens when applicable;
e) securing unattended Computing Devices from unauthorized access by implementing mechanisms to prevent password guessing (e.g., lockout after multiple login attempts) and to block access to idle sessions (e.g., a password-protected locking screen saver, session time-outs); and
f) ensuring that Passwords are only accessed by or visible to the authenticating User, device, or system.
15.2 Sharing. Users must not share Passwords or similar Information, or devices used for identification and authorization purposes.
UTS165 Standard 16: Data Center Security.
16.1 Protection. All Information Resources must be physically protected based on Risk.
16.2 Safeguards. All Institutions shall adopt safeguards to ensure appropriate granting, controlling, and monitoring of physical access. Physical access safeguards must incorporate Procedures for:
a) protecting facilities in proportion to the criticality or importance of their function and the confidentiality of any Information Resources affected;
b) managing access cards, badges, and/or keys;
c) granting, changing, and/or removing physical access to facilities to reflect changes in an individual’s role or employment status; and
d) controlling visitor and Vendor physical access with Procedures that incorporate the following:
- advanced scheduling, logging, and documenting of visits;
- escorting while on premises; and
- restricting the unauthorized use of photographic and video devices while on premises.
16.3 Central IT Managed Data Centers and U. T. System Shared Data Centers. In addition to the controls required in Standard 16.2, Data Centers managed by Institutional Central IT organizations and the U. T. System Shared Data Centers must incorporate procedures for each of the following:
a) reviewing physical access at least monthly, or more often if warranted by Risk;
b) designating staff who will have authorized access during an emergency;
c) monitoring the exterior and interior of the facility 24/7 by trained staff;
d) maintaining appropriate environmental controls such as alarms that monitor heat and humidity, fire suppression and detection systems supported by an independent energy source, and uninterruptable power systems capable of supporting all Computing Devices in the event of a primary power system failure; and
e) protecting any Shared or Central IT managed Data Center built after the effective date of this Standard by implementing and maintaining the following:
- security fencing, lighting, and landscaping to prevent concealment of intruders;
- electronic alarms for all entry points into the facility and any internal areas housing critical infrastructure; and
- computer rooms with no externally facing windows.
16.4 Decentralized IT Managed Data Centers. In addition to the controls required in Standard 16.2, the ISO shall develop Institutional Standards and safeguards to protect Decentralized IT Data Centers based on Risk.
UTS165 Standard 17: Security Monitoring.
17.1 At minimum, the Institutional Information Security Officer must ensure:
a) that network traffic and use of Information Resources is monitored as authorized by applicable law and only for purposes of fulfilling a System or Institutional mission related duty;
b) Server and network logs are reviewed manually or through automated processes on a scheduled basis based on Risk and regulation to ensure that Information Resources containing Confidential Data are not being inappropriately accessed;
c) vulnerability assessments are performed annually, at minimum, to identify software and configuration weaknesses within information systems maintained in both Centralized and Decentralized IT;
d) an annual, professionally administered and reported external network penetration test is performed; and
e) that results of log reviews, vulnerability assessments, penetration tests, and IT audits are available to the ISO and that required remediation is implemented.
UTS165 Standard 18: Security Training.
18.1 Initial and Recurring Training. The Institutional ISO shall ensure that security training is delivered and tracked. Initial and recurring training:
a) should, at minimum, identify User responsibilities, common threats, regulatory and Institutional requirements regarding the acceptable use and security of Information Resources, proper handling of Confidential Data, and incident notification; and
b) is to be administered in accordance with the following schedule, or more frequently as determined by an Institution.
- Each new, temporary, contract, assigned, or engaged employee or worker must complete initial training within 30 days after the date that such a person is hired by the Institution or otherwise engaged or assigned to perform such work.
- Recurring training for employees and workers with access to Institutional Information Resources shall take place at least every two years.
18.2 In addition to initial training, Owners and Custodians should receive periodic training addressing the responsibilities associated with their roles. Method of delivery and scheduling of such training should be determined by the ISO.
18.3 Awareness Training should, at minimum, identify common threats, proper handling of Confidential Data, behaviors that increase Risk, behaviors that reduce Risk, and incident notification. Method of delivery and scheduling of awareness training should be determined by the Institutional ISO.
18.4 Technical Support Training. Owners and Custodians must provide, based on role, appropriate technical training equivalent to current industry standards for Information Security Administrators and employees providing Information Technology help-desk or technical support for Information Resources under their authority.
UTS165 Standard 19: Server and Device Configuration and Management.
19.1 Network Infrastructure Configuration. All Institutions must designate responsibility for the Institutional Network Infrastructure and specify those responsible for:
a) configuring and managing the resource in accordance with U. T. System and Institutional information security Policies, Standards, and Procedures by:
- segmenting the Institutional network either physically or logically to reduce the scope of exposure of Information Resources commensurate with the Risk and value of the Information Resource and Data; and
- separating Internet-facing applications from internal applications;
b) maintaining appropriate access to the Network Infrastructure in accordance with U. T. System and Institutional information security Policies, Standards, and Procedures; and
c) managing, testing, and installing updates to operating systems and applications for network equipment under their responsibility.
19.2 Server Hardening. To protect against malicious attack, all Servers on U. T. System networks will be security hardened based on Risk and must be administered according to Policies, Standards, and Procedures prescribed by the Institution, as applicable, and must incorporate Procedures for:
a) identifying and assigning appropriately trained administrators for all Mission Critical Servers, or Servers supporting Information Systems containing Confidential Data;
b) setting baseline security “hardened” configuration Standards for all Servers; and
c) managing the testing and installation of service packs, hot fixes, and security patches.
19.3 Device Configuration. All devices (e.g., routers, laptops, tablets, desktops, and handheld devices) on U. T. System networks must be protected against malicious attack. The Institutional ISO shall establish and communicate security configurations based on Risk and incorporate Procedures for:
a) setting baseline security “hardened” configuration Standards for all devices;
b) establishing and making available minimum security configurations for University-owned and Non-University Owned Portable Computing Devices; and
c) recommended patch management practices.
19.4 Device Management . The Institutional ISO shall ensure that devices are administered by professionally trained staff in accordance with Policies, Standards, and Procedures prescribed by the Institution.
19.5 Access to Information Security Information and Devices. All Owners and Custodians of University owned, leased, or controlled Information Resources must provide the Institutional ISO with direct access to detailed security status Information including, but not restricted to the following: firewall rules, IPS/IDS rules, security configurations and patch status; and sufficient access rights to Servers and devices to independently and effectively execute Institutional ISO monitoring duties.
UTS165 Standard 20: Software Licensing.
Software is to be used in accordance with the applicable licensing agreement. Unauthorized or unlicensed use of software is prohibited and subjects the User to disciplinary action. Any unauthorized or unlicensed use is deemed to be without the consent of U. T. System.
UTS165 Standard 21: System Development and Deployment.
21.1 Information Security Consideration. All Institutions must adopt Institutional Policies, Standards and/or Procedures to ensure that the protection of Information Resources (including Data confidentiality, integrity, and availability) is considered during the development or purchase of new Information Systems or services.
21.2 Redundant Information Systems or Services. Information Systems that duplicate services provided by the Institution’s Central IT organization are discouraged because they increase opportunity for exposure of Data. The Information Resources Manager shall approve the purchase or deployment of new Decentralized IT Information Systems or services (e.g., electronic mail/web/file servers, file/system backup, storage, etc.) that duplicate applications or services provided by Centralized IT. The Owner of the duplicative Information System and the IRM must document and justify exceptions based on business need, weighed against Risk of unauthorized access or loss of Data.
21.3 Required Controls. The Institutional ISO shall develop institutional Policies, Standards, and/or Procedures that address the following:
a) providing methods for appropriately restricting privileges of authorized Users to all production systems, applications, Data, and University-owned devices. User access to applications is granted on a need-to-access basis;
b) maintaining separate production and development environments to ensure the security and reliability of the production system;
c) performing a security assessment prior to the purchase of any new information security services that receive, maintain, and/or share Confidential Data;
d) including vulnerability assessments and code scans to the Information Systems development cycle; and
e) performing a vulnerability assessment and including a static or dynamic code scan of all new web applications prior to moving them to production.
21.4 Security Review and Approval. The Institutional ISO must review and approve security requirements, specifications, and, if applicable, third-party Risk assessments for any new computer hardware, software, applications, or services that are Mission Critical or that receive, maintain, and/or share Confidential Data.
21.5 IT Systems Contracts. Contracts for purchase or development of automated systems must address security, backup, and privacy requirements, and should include right-to-audit and other provisions to provide appropriate assurances that applications and Data will be adequately protected.
UTS165 Standard 22: Vendor and Third-Party Controls and Compliance.
The U. T. System recognizes that Vendors and other contractors serve an important function in the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications. This standard applies to contracts entered into by U. T. System or an Institution that involves third-party access to or creation of Information Resources or University Data by a third-party.
22.1 Contracts. Contracts of any kind, including purchase orders, memoranda of understanding (MOU), letters of agreement, or any other type of legally binding agreement, that involve current or future third-party access to or creation of Information Resources and/or Data must include terms determined by the Office of General Counsel as sufficient to ensure that Vendors and any subcontractors or other third-parties that maintain, create, or access University Data as the result of the contract comply with all applicable Federal and State security and privacy laws, this UTS 165, and any applicable U. T. System and University Policies or Standards, and must contain terms that ensure that all University Data affected by the contract is maintained in accordance with those standards at all times, including post-termination of the contract.
22.2 The Data Owner, Institutional procurement officers and staff, and the ISO are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third-party access to, outsourcing, maintenance, or creation of University Data; and that all such access, outsourcing, or maintenance fully complies with this Standard at all times.
22.3 Any contract involving third-party access to, creation, or maintenance of Protected Health Information (PHI) as defined in 45 C.F.R. § 164.501 , must include a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement in a form approved by Institutional counsel or OGC.
22.4 Any contract involving third-party-provided credit card services must require that the Contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
22.5 Vendor or other Third-Party Assessment. Prior to access, maintenance, or creation of University Data by a Vendor or any other third-party, the Institution must ensure that an assessment is or has been performed that is designed to ensure that:
a) the Vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and Integrity of the Data at rest and during any transmission or transfer; and
b) any subcontractor or other third-party that will access, maintain, or create Data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such Data while it is at rest and during any transmission or transfer.
22.6 As part of the Institution’s assessment of a Vendor or other third-party, the Institution will request copies of any self-assessments or third-party assessments that the Vendor or third-party has access to.
22.7 Access Control Measures. Each Institution must control Vendor and other third-party access to its Data based on Data sensitivity and Risk. Controls must incorporate the following:
a) Vendor must represent, warrant, and certify it will:
1. hold all Confidential Data in the strictest confidence;
2. not release any Confidential Data unless Vendor obtains Institution’s prior written approval and performs such a release in full compliance with all applicable privacy laws, including the Family Educational Rights and Privacy Act (FERPA);
3. not otherwise use or disclose Confidential Data except as required or permitted by law;
4. safeguard Data according to all commercially reasonable administrative, physical, and technical Standards (e.g., such Standards established by the National Institute of Standards and Technology or the Center for Internet Security);
5. continually monitor its operations and take any action necessary to assure the Data is safeguarded in accordance with the terms of UTS165 Policy and Standards; and
6. comply with the Vendor access requirements that are set forth in this Standard.
22.8 Breach Notification. Institutions shall require the following from the Vendor.
a) If an unauthorized use or disclosure of any Confidential Data occurs, the Vendor must provide:
- written notice within one business day, or if The Data Owner, Institutional procurement officers, and the ISO are satisfied that a longer period is acceptable, within that period, after Vendor’s or third-party’s discovery of such use or disclosure; and
- all Information U. T. System requests concerning such unauthorized use or disclosure.
22.9 Return of Data. Within 30 days after the termination or expiration of a purchase order, contract, or agreement for any reason, Vendor must either:
a) return or securely destroy, as specified by contract or agreement, all Data provided to the Vendor by the Institution, including all Confidential Data provided to Vendor’s employees, subcontractors, agents, or other affiliated persons or Institutions; or
b) in the event that returning or securely destroying the Data is infeasible, provide notification of the conditions that make return or destruction infeasible, in which case the Vendor or third-party must:
- continue to protect all Data that it retains;
- agree to limit further uses and disclosures of such Data to those purposes that make the return or destruction infeasible for as long as Vendor or other third-party maintains such Data; and
- to the extent possible, de-identify such Data.
UTS165 Standard 23: Security Control Exceptions
23.1 Exception to an otherwise required security control may be granted by the Institutional ISO to address specific circumstances or business needs relating to an individual program or department only as authorized by applicable law, and System and Institutional Policy. Requests for exceptions of this type should be in writing and should be initiated by the Data Owner. Both the Institutional ISO and Data Owner are jointly responsible for ensuring that any exception is not contrary to applicable law.
23.2 The Information Security Officer may issue blanket exceptions to address Institution-wide situations.
23.3 All exceptions must be based on an assessment of business requirements weighed against the likelihood of an unauthorized exposure, and the potential adverse consequences for individuals, other organizations, or the Institution were an exposure to occur.
23.4 As a condition for granting an exception, the Institution ISO may require compensating controls be implemented to offset the risk.
23.5 All exceptions must be documented, and must include the following elements:
a) a statement defining the nature and scope of the exception in terms of the Data included and/or the class of devices included;
b) the rationale for granting the exception;
c) an expiration date for the exception;
d) a description of any compensating security measures that are to be required; and
e) acknowledgement, via signature (written, electronic, or through automated process), of the ISO, and, in the case of an exception resulting from a Data Owner request, of the Data Owner.
23.6 Encryption Exceptions.
a) The ISO may grant an exception to the use of encryption on a device if the ISO determines that encryption makes the device unsuitable to perform its intended functions and the Risk posed by the unencrypted device is minimal or moderate based on its use and/or other implemented compensating controls.
b) The ISO may recommend to the Chief Administrative Officer an encryption exception be granted for a High Impact Device if encryption makes the device unsuitable to perform its intended function. Exception recommendations have the effect of being approved unless, upon review, the Chief Administrative Officer disapproves the recommendation.
23.7 A summary of exceptions and exception recommendations shall be reported to the President in the annual Presidential Information Security Program Report with sufficient detail to provide the President with an understanding of types of Risks and level of Institutional exposure.
Guidance for encryption exceptions may be obtained by contacting the U. T. System Chief Information Security Officer.
23.8 This standard does not apply to or authorize an Institutional ISO to grant exceptions to UTS165 Standard 2 – Acceptable Use of Information Resources.
UTS165 Standard 24: Disciplinary Actions.
Violation of this UTS 165 or other U. T. System or Institutional Information Security Policies or Standards by faculty, staff, and students who have access to U. T. System Information Resources or Data for the purpose of providing services to or on behalf of an Institution, are subject to disciplinary action in accordance with the applicable Institutional rules and Policies. For contractors and consultants, this may include termination of the work engagement and execution of penalties contained in the work contract. For interns and volunteers, this may include dismissal. Additionally, certain violations may result in civil action or referral for criminal prosecution.