Skip to content Skip to main navigation Report an accessibility issue
Information Security

Plans and Programs and Controls, Oh My!



Information security conversations often include words like “IT security plans,” “systems,” and “program plans.” What do these terms mean in the context of cyber security, and why should we care?

Three reasons WHY we are talking about cyber security:

  1. UT Policy drives the discussion and requires that the management of our IT resources is documented.
  2. Currently, EVERYTHING is online and must be protected, much like we lock our homes or automobiles when we leave them.
  3. It is the responsible and right thing to do.

Human Resource (HR) or Fiscal (FI) policies provide a governance structure for conducting university business, the business of “running a university.” Likewise, UT policies regarding Information Technology (IT) provide the governance structure for the management of IT resources.

Information Security Management implies that we are protecting information (data) and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information Security management is also a process of defining the security controls to protect the university’s IT resources. 

Threedefinitions and examples provide clarity to this discussion:

  1. System Security Plan—a written document that provides an overview of the current information security requirements of a system and describes the controls in place or in planning, responsibilities, and expected behavior of all individuals who access a system.
  2. System—a set of interrelated components that work together to collect, process, store, and disseminate information to support decision making, coordination, control, analysis, and visualization in an organization. Examples: servers, software, networks, databases, etc. Real-world examples of systems are the Student Information System (including Banner, DARS, and others), IRIS, or CANVAS.
  3. Controls—safeguards or countermeasures to avoid, detect, counteract, or minimize risks to physical property, information, computer systems, or other IT resources. Examples: locks on doors, passwords, procedures, speed-limit signs, etc.

One may think, “This is an IT thing. I am not going to worry too much about it. The IT person will handle it.” Others may think that security measures only apply to OIT. The policy applies to ALL who use university IT Resources. Consider it from this perspective: it is good business management of resources. Sure, there are technical aspects to ensuring security measures are in place, but it really is about identifying systems that are critical to a researcher, a department, a college, or the campus and putting documentation around its management. The system may also store or process sensitive or confidential information about research or individuals.

Just as Deans, Directors, and Department heads are responsible for enforcing HR and FI policies across their areas, they are equally responsible for the oversight of the management of IT resources in their respective units. Leadership must communicate to their direct reports and throughout their organization that there IS a Campus Information Security Program and what their role is in that program. A Dean or Vice-Chancellor may not know how all the parts fit together in a particular system, what information is stored or processed, or if it is critical to their unit. They don’t necessarily need to know all of the technical details. However, I am sure they would want to know that someone is looking after that system (i.e., managing the system).

Visit the OIT website to learn more about the UTK Information Security Methodology or call the OIT HelpDesk at 865-974-9900.