Policy Library



Policy Overview


It is the policy of The University of Texas System (UT System) to:

  1. Protect Information Resources based on risk against accidental or unauthorized access, disclosure, modification or destruction and assure the availability, confidentiality, and integrity of Data;
  2. Appropriately reduce the collection, use or disclosure of all social security numbers contained in any medium, including paper records;
  3. Apply appropriate physical and technical safeguards without creating unjustified obstacles to the conduct of the business and Research of the UT System and the provision of services to its many constituencies in compliance with applicable state and federal laws.



All institutions, UT System Administration, and UTIMCO



Sponsoring Office: Office of The Chief Information Security Officer

Effective Date: April 12, 2007



Past Changes made to UTS165



  • Responsible Officer changed to Chief Information Security Officer
  • Sponsoring Office changed to Office of the Chief Information Security Officer
  • Last paragraph of Rationale was edited to clarify which policies were combined to form UTS165
  • UTIMCO was added to the Scope
  • Contact information is now the Office of the Chief Information Security Officer


  • Change to the policy name to differentiate it from the internal System Administration Policy of the same name
  • Clarification to the Rationale that Information Security Practice Bulletins become part of the policy
  • Change in the definition of Confidential Information to make it consistent with the definition used in Texas Administrative Code (TAC) 202 which governs information security practices
  • A fifth appendix was added, including the Information Security Practice Bulletin



  • A Sixth appendix was added, including the Information Security Practice Bulletin #2 – Baseline Standard for Information Security Programs.  This document defines operational requirements for University of Texas System Entity Information Security Programs.
  • Added three documents related to the Security Practice Bulletin #2:
    • UT System Information Security Program Elements – This document identifies functions and activities to be included in each U. T. Entity Information Security Program.  The elements are based on those recommended by recognized standards bodies.
    • UT System Information Security Program Metrics Reported to U. T. System This document identifies Information Security Program metrics needed to assess scope of program deployment, program effectiveness, and trends that can be used for program planning.
    • Institutional Information Security Program Quarterly Status Report Template The template will be used by Entity CISO/ISOs for reporting program activities to U. T. System each quarter. 


  • Reconciled Procedure Section requirements with Responsibilities.  There were requirements in the Procedure Section that were not reflected in the Responsibility Section
  • Reconciled Definitions and requirements with TAC 202
  • Provided clarification for definition of Sensitive Data
  • Added 4 new definitions

- “Chief Administrative Officer:  The highest ranking executive officer at each Entity. For most Entities, this is the President.”


- “Decentralized Areas:  Entity business units, departments, or programs that manage or support their own information systems”


- “Electronic Communication: Method used to convey a message or exchange information via Electronic Media instead of paper media.  It includes the use of Electronic Mail, instant messaging, Short Message Service (SMS), facsimile transmission, and other paperless means of communication”


- "Security Incident:  An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (TAC 202A 202.1)"


  • Amended Section 8 Classification of Digital Data to require institutions to develop a data classification guideline for central and decentralized areas
  • Replaced Section 12 Electronic Mail with Electronic Communications that include, not only use of email, but also use of IM, SMS, etc.
  • Reconciled Section 13 Incident Management with the UT System Incident Reporting Toolkit
  • Added references to the UT Federation Member Operating Practices in Section 3 Access Management and Section 18 Passwords
  • Added to Section 25 Systems Development and Deployment the requirement for the ISO to review the data security requirements and specifications of any new computer applications that receive, maintain, and/or share Confidential Data and to approve the security requirements of the purchase of the corresponding required hardware.



Updated the Institutional Information Security Program Quarterly Status Report Template.




Under Forms and Tools/Online Processes:

  • Updated AUP form link
  • Added a link to the Information Resources Security Operations Manual




  • © 2008 The University of Texas System
  • 702 Colorado Street, Suite 6.200
  • Austin, Texas 78701
  • Phone: (512) 499-4744