University information technology (IT) resources are provided for conducting authorized University business related to education, research, service, and administration. This section describes user responsibilities in ensuring that the University’s IT resources are used responsibly and according to University policies. Responsible and acceptable use of IT resources preserves the integrity, confidentiality, and availability of these resources and establishes user accountability.

Each department is responsible for the security of its computer systems and may apply more stringent security standards than those detailed in University Policies. However, departments must at a minimum follow the standards described in Policies IT0110, IT0115, and IT0120 or risk losing access to University networks and/or use of IT resources. Additionally, a System Security Plan is required if a department uses applications or servers that process, store or transmit sensitive information. The UT System Administration Department of Technology Solutions (UTSA DTS) can provide a template, or contact your Campus Authority responsible for information security for guidance.

Key Terms

Information technology (IT) resources are defined as, but are not limited to, any computers, computer systems, network devices, telephone systems, or software applications.

An Information System is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  Examples include your desktop/laptop, IRIS, and a database that serves your department business requirements.

Security Categorization/Classification is the process of determining the security category for information or an information system.

The Campus Authority responsible for information security is designated by the Chancellor or equivalent at each Campus to be an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority).

Hacking is gaining unauthorized access to computer systems for the purpose of stealing and corrupting data or using a system to access another computer system.

E-commerce (electronic commerce) is the process of buying and selling goods and services and transferring payment over the Internet.

Sanitization is the removal of data from storage media so that the data cannot be retrieved.

A security incident is a violation or imminent threat of a violation of computer security policies, acceptable use policies, or standard security practices.

Sensitive Information is information that is protected against unwarranted disclosure. Protection of sensitive information may be required for legal, ethical, privacy, or proprietary considerations. Sensitive information includes all data which contains Personally Identifiable Information, Protected Health Information, student education records, card holder data, or any other information that is protected by applicable laws, regulations, or policies.

Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that accept credit cards from the major card brands. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

Back to top »


User Responsibilities

The University employs various measures to protect the security of its computing resources and user accounts. Users must, however, share in this responsibility. Each user of University resources is required to be familiar and comply with University Policy IT0110, Acceptable Use of Information Technology Resources.

Reasonable, minimal personal use of the University’s IT resources is allowed, as stipulated in Policy IT0110. Departments, however, may impose further restrictions on personal use.

Back to top »


Prohibitions

The following are examples of prohibited activities:

  • Sharing access codes or passwords.
  • Using IT resources for personal gain. (NOTE: this does not apply to faculty members’ scholarly activities, including the writing of textbooks or other teaching materials and appropriate consulting activities. For guidelines, see the faculty handbook for your campus/institute.)
  • Committing copyright infringement, including file sharing of video, audio, or data without permission from the copyright owner.
  • Using University resources to introduce, create, or propagate spam, phishing email, computer viruses, worms, Trojan horses, or other malicious code.
  • Misrepresenting the user’s identity with actions such as IP address “spoofing,” email address falsification, or social engineering.
  • Sending email chain letters or mass mailings for purposes other than official University business.

 

NOTE: This is not a comprehensive list of prohibitions. Users are expected to be aware of all prohibitions listed in Policy IT0110.

Back to top »


Misuse of IT Resources

Users must report all suspected or observed illegal activities to the appropriate University or campus administrative office. Examples include theft, fraud, copyright infringement, illegal electronic file sharing, sound or video recording piracy, hacking, and viewing or distribution of child pornography.

State law prohibits the use of University resources by employees for campaign or political advertising on behalf of any party, committee, agency, or candidate for political office (Tennessee Code Annotated § 2-19-201 et seq.). This does not prohibit the use of University resources to discuss or examine political topics or issues of public interest, so long as it does not advocate for or against a particular party, committee, agency, or candidate. 

 

The use of the University’s IT resources is governed by all applicable University policies and state and federal laws. Violators will be subject to disciplinary action, including the loss of IT privileges or termination of employment. Illegal activities involving these resources may also be subject to prosecution by state or federal authorities.

Back to top »


Credit Card Processing

According to University Policy FI0311, departments are not permitted to engage in any form of credit card payment processing without seeking and receiving approval as required by this policy. This includes non-electronic methods (taking payments with an imprinter or payment information on paper forms), face-to-face electronic methods (using point-of-sale terminals, iPads, etc., or PC-based payment software to process transactions), or indirect electronic methods (taking payments over the phone, via fax, or via e-commerce equipped websites whether handled directly by University employees and systems, or by a third party).

Back to top »


Virus Protection

Cybercriminals use sophisticated strategies for gaining access to the University’s sensitive data. In most cases, they simply manipulate a community member’s trust by posing as something or someone the user is familiar with.

Be careful and selective in opening attachments. Do not open attachments to emails that seem questionable.

Back to top »


Privacy

While the University recognizes the role of privacy in an institution of higher learning and every attempt will be made to honor that ideal, users should have no expectation of privacy of information stored on or transmitted through University-owned information systems and communications infrastructure. Users are expected to be familiar with the User Privacy section of Policy IT0110.

Back to top »


Incident Response

A suspected compromise of any system that stores, processes, or transmits information considered confidential (e.g., student information, credit card, or patient systems) must be reported immediately to the Campus Authority responsible for information security.

The following activities are examples of security events that must be reported: 

  • A system alarm from an intrusion detection tool.
  • Suspicious entries in system or network accounting.
  • New user accounts or files of unknown origin and function.
  • Unexplained changes to file sizes or date/time stamps.
  • Unexplained addition, deletion, or modification of data.
  • Denial of service activity.
  • Unauthorized operation of a program.
  • Unusual usage patterns.
  • Loss or theft of laptop or other equipment.
  • Numerous unsuccessful logon attempts.
  • Unexplained system crashes.
  • Unexplained poor system performance.

When a security event is suspected, evidence collection and network monitoring must be initiated immediately. Otherwise, critical information may be destroyed before investigators have a chance to review it.

For more information on reporting security incidents and the incident response process, see “Computing Resources” below. 

Back to top »


Accounts and Access Management

All students, faculty, and staff at the University have a NetID and password. Your NetID permits secure access to a variety of applications and services. Your password and two-factor authenticator boost protection of your account from hackers.

When using two factor authentication you will be required to use two different sources (factors) to verify your identity.

  • Something you know – your username and password, and
  • Something you have – a phone or passcode, to authenticate and gain access to an account. For example, this may be a smartphone or tablet using an app or a hardware token device.

 

Good Password Sense 

Strong, secure passwords should not be publicly displayed, written down or shared, contain your username or part of any name or be based on personal information. Do not use the same password for multiple accounts.

Back to top »


Department Head’s Role in Managing IT Resources

You are responsible for the following oversight activities.

  1. Ensure that all departmental staff who use IT resources are familiar with and abide by applicable University policies, campus/institute acceptable use policies, and applicable laws. See “Computing Resources” below.
  2. Ensure that staff use the University’s IT resources appropriately to accomplish their work responsibilities and that personal use, including e-mail, is reasonable and appropriate.
  3. Ensure that users employ safe computing practices, including strong password management and anti-virus protection, among others.
  4. Ensure that the departmental system administrator(s) takes appropriate measures to maintain the security of IT data and systems by installing routine upgrades and patches to operating systems and software and configuring operating systems according to an appropriate benchmark. Please contact the Campus Authority responsible for information security for more information.
  5. Ensure that University computing equipment in the department’s custody and control is adequately safeguarded against theft and damage and that any confidential information stored on the equipment is protected and maintained in a manner to protect its integrity and confidentiality.
  6. Ensure that computer hard drives and other electronic media containing confidential or sensitive data are sanitized before their disposal or transfer.
  7. Ensure that any e-commerce systems present information in a manner that conforms to policies and preserves the University’s image and reputation. E-commerce systems must maintain adequate security and safeguard the integrity of data related to these transactions. For approval requirements and other details, see Policy FI0310, Internet Sales.
  8. Report any security-related incidents to the appropriate campus/institute department (see “Computing Resources” below).
  9. Ensure that users comply with software license agreements regarding applicable copyright laws and file sharing, etc., as addressed in Policy IT0110.
  10. Forward any requests for release of documents under the Tennessee Public Records Act to the campus/institute public relations office.

Back to top »


Computing Resources

Information Technology/Computer Services Offices

Knoxville (Office of Information Technology): https://oit.utk.edu

Health Science Center (Information Technology Services): https://uthsc.edu/its/

Chattanooga (Information Technology Division): https://new.utc.edu/information-technology

Martin (Information Technology Services): https://utm.teamdynamix.com/TDClient/2421/ITS-Portal/Home/

Space Institute (Computer Services): https://www.utsi.edu/computer-services-home/

System Administration: (Department of Technology Solutions): https://techsolutions.tennessee.edu

Institute of Agriculture (Office of Information Technology Services): https://utiatechnology.tennessee.edu

 

Reporting Security Incidents

Knoxville: https://oit.utk.edu/security/, call the OIT HelpDesk at 865-974-9900, or chat with the OIT HelpDesk at oit.utk.edu/chat/

Health Science Center: Call the Compliance Office Hotline at 901-448-4900, e-mail the Security Officer at security@uthsc.edu, or refer to the UTHSC Compliance Offices web site at http://www.uthsc.edu/compliance

Chattanooga: E-mail security@utc.edu or call the Help Desk at 423-425-4000

Martin: https://utm.teamdynamix.com/TDClient/2421/ITS-Portal/Home/ or e-mail helpdesk@utm.edu

Space Institute: www.utsi.edu/computer-services-home/ or e-mail helpdesk@utsi.edu

System Administration: https://security.tennessee.edu/ or email iso@tennessee.edu

Institute of Agriculture: https://utiasecurity.tennessee.edu/incident-response/ or email sandy@tennessee.edu

 

Incident Response Process

Knoxville, Institute for Public Service, and Space Institute: Incident Response Process https://oit.utk.edu/hpsc/isaac-secure/incident-response

Health Science Center: https://itservices.uthsc.edu/service-category/security-incident-response-and-investigation/

Chattanooga: https://new.utc.edu/sites/default/files/2020-03/information-technology-security-incident-response-plan.pdf

Martin: https://utm.teamdynamix.com/TDClient/2421/ITS-Portal/Home//

System Administration: https://security.tennessee.edu/

Institute of Agriculture: https://utiasecurity.tennessee.edu/incident-response/

Back to top »