All State Information Technology (IT) resources must be appropriately and adequately protected against unauthorized access, modification, destruction or disclosure.

REFERENCE:

Tennessee Code Annotated, Section 4-3-5501, et seq., effective May 10, 1994.

OBJECTIVES:

1. Identify threats that are relevant to State Information Technology (IT) resources
2. Protect all (IT) resources in accordance with state and federal laws and regulations.
3. Promote the safeguarding of IT Resources in a cost effective manner such that the cost of security is commensurate with the value and sensitivity of the resources.
4.  Detect threats to State IT Resources ad respond accordingly.

SCOPE:

This policy applies to all IT resources and associated components, such as applications, networks, telecommunications, hardware, software, data, related documentation, and reports, including cloud services

 

IMPLEMENTATION:

Department of Finance & Administration, Strategic Technology Solutions

1. Approve and provide the technology infrastructure, including but not limited to, networks and data center hosting facilities operated by the State, required to provide secure applications.
2. Approve technology infrastructure, including but not limited to, networks and Data Center hosting facilities operated by a third party on behalf of the State, required to provide secure applications.
3. Develop the enterprise policies, standards, procedures, and guidelines necessary to assure security of the State's  IT resources and privacy of data.
4. Develop the security requirements to ensure the appropriate use of IT resources.
5. Provide technical consulting support to agencies in fulfilling their IT resources security goals.
6. Provide technical support, training and/or recommendations for the agencies' use of the State's standard software.
7. Provide ongoing technical reviews of security aids, tools, techniques and other methods to meet security requirements: develop and recommend, in conjunction with agencies, to the Information Systems Council new or revised policies necessary to assure security of the State's IT Resources.
8. Provide for an administrative review of security standards, procedures, and guidelines in light of technical, environmental, procedural or statutory changes which may occur.
9. Protect IT Resources under STS's control and oversight in accordance with state and federal policies, standards and procedures.
10. Assign an individual the responsibility and authority for administrative oversight of security for the State's IT Resources.
11. Develop or acquire a training curriculum that provides security awareness training for State employees and contractors who access and use State managed data and IT resources.

 

Agency Business Management and IT Resources

1. Collaborate with F&A/STS to ensure that all applications are hosted in anSTS approved hosting location.
2. Assign an individual the responsibility and authority for administrative oversight of security for information technology resources under the agency's control.
3. Follow enterprise policies, standards, procedures and guidelines for securing the agency’s IT resources.
4. Establish agency policies, standards, procedures, and guidelines for securing the agency's information technology resources consistent with enterprise policies, standards, procedures and guidelines.
5. Protect IT resources under agency control in accordance with applicable statutes and with policies, standards, procedures and guidelines established at both the statewide and agency levels.
6. Educate agency users on security policies, standards, procedures and guidelines related to IT resources.
7. Ensure all employees and contractors annually attend training regarding security awareness as provided by STS.