Sponsoring Office: Office of The Chief Information Security Officer
Effective Date: April 12, 2007
Past Changes made to UTS165
5/4/2007
- Responsible Officer changed to Chief Information Security Officer
- Sponsoring Office changed to Office of the Chief Information Security Officer
- Last paragraph of Rationale was edited to clarify which policies were combined to form UTS165
- UTIMCO was added to the Scope
- Contact information is now the Office of the Chief Information Security Officer
7/31/2007
- Change to the policy name to differentiate it from the internal System Administration Policy of the same name
- Clarification to the Rationale that Information Security Practice Bulletins become part of the policy
- Change in the definition of Confidential Information to make it consistent with the definition used in Texas Administrative Code (TAC) 202 which governs information security practices
- A fifth appendix was added, including the Information Security Practice Bulletin
2/5/2008
- A Sixth appendix was added, including the Information Security Practice Bulletin #2 – Baseline Standard for Information Security Programs. This document defines operational requirements for University of Texas System Entity Information Security Programs.
- Added three documents related to the Security Practice Bulletin #2:
- U. T. System Information Security Program Elements – This document identifies functions and activities to be included in each U. T. Entity Information Security Program. The elements are based on those recommended by recognized standards bodies.
- U. T. System Information Security Program Metrics Reported to U. T. System – This document identifies Information Security Program metrics needed to assess scope of program deployment, program effectiveness, and trends that can be used for program planning.
- Institutional Information Security Program Quarterly Status Report Template – The template will be used by Entity CISO/ISOs for reporting program activities to U. T. System each quarter.
9/16/2008
- Reconciled Procedure Section requirements with Responsibilities. There were requirements in the Procedure Section that were not reflected in the Responsibility Section
- Reconciled Definitions and requirements with TAC 202
- Provided clarification for definition of Sensitive Data
- Added 4 new definitions
- “Chief Administrative Officer: The highest ranking executive officer at each Entity. For most Entities, this is the President.”
- “Decentralized Areas: Entity business units, departments, or programs that manage or support their own information systems”
- “Electronic Communication: Method used to convey a message or exchange information via Electronic Media instead of paper media. It includes the use of Electronic Mail, instant messaging, Short Message Service (SMS), facsimile transmission, and other paperless means of communication”
- "Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (TAC 202A 202.1)"
- Amended Section 8 Classification of Digital Data to require institutions to develop a data classification guideline for central and decentralized areas
- Replaced Section 12 Electronic Mail with Electronic Communications that include, not only use of email, but also use of IM, SMS, etc.
- Reconciled Section 13 Incident Management with the UT System Incident Reporting Toolkit
- Added references to the UT Federation Member Operating Practices in Section 3 Access Management and Section 18 Passwords
- Added to Section 25 Systems Development and Deployment the requirement for the ISO to review the data security requirements and specifications of any new computer applications that receive, maintain, and/or share Confidential Data and to approve the security requirements of the purchase of the corresponding required hardware.
