Policy 1.00: Information Technology Resources Security and Privacy
All State Information Technology (IT) resources must be appropriately and adequately protected against unauthorized access, modification, destruction or disclosure.
REFERENCE:
Tennessee Code Annotated, Section 4-3-5501, et seq., effective May 10, 1994.
OBJECTIVES:
- Identify threats that are relevant to State Information Technology (IT) resources
- Protect all (IT) resources in accordance with state and federal laws and regulations.
- Promote the safeguarding of IT Resources in a cost effective manner such that the cost of security is commensurate with the value and sensitivity of the resources.
- Detect threats to State IT Resources ad respond accordingly.
SCOPE:
This policy applies to all IT resources and associated components, such as applications, networks, telecommunications, hardware, software, data, related documentation, and reports, including cloud services
IMPLEMENTATION:
Department of Finance & Administration, Strategic Technology Solutions
- Approve and provide the technology infrastructure, including but not limited to, networks and data center hosting facilities operated by the State, required to provide secure applications.
- Approve technology infrastructure, including but not limited to, networks and Data Center hosting facilities operated by a third party on behalf of the State, required to provide secure applications.
- Develop the enterprise policies, standards, procedures, and guidelines necessary to assure security of the State's IT resources and privacy of data.
- Develop the security requirements to ensure the appropriate use of IT resources.
- Provide technical consulting support to agencies in fulfilling their IT resources security goals.
- Provide technical support, training and/or recommendations for the agencies' use of the State's standard software.
- Provide ongoing technical reviews of security aids, tools, techniques and other methods to meet security requirements: develop and recommend, in conjunction with agencies, to the Information Systems Council new or revised policies necessary to assure security of the State's IT Resources.
- Provide for an administrative review of security standards, procedures, and guidelines in light of technical, environmental, procedural or statutory changes which may occur.
- Protect IT Resources under STS's control and oversight in accordance with state and federal policies, standards and procedures.
- Assign an individual the responsibility and authority for administrative oversight of security for the State's IT Resources.
- Develop or acquire a training curriculum that provides security awareness training for State employees and contractors who access and use State managed data and IT resources.
Agency Business Management and IT Resources
- Collaborate with F&A/STS to ensure that all applications are hosted in anSTS approved hosting location.
- Assign an individual the responsibility and authority for administrative oversight of security for information technology resources under the agency's control.
- Follow enterprise policies, standards, procedures and guidelines for securing the agency’s IT resources.
- Establish agency policies, standards, procedures, and guidelines for securing the agency's information technology resources consistent with enterprise policies, standards, procedures and guidelines.
- Protect IT resources under agency control in accordance with applicable statutes and with policies, standards, procedures and guidelines established at both the statewide and agency levels.
- Educate agency users on security policies, standards, procedures and guidelines related to IT resources.
- Ensure all employees and contractors annually attend training regarding security awareness as provided by STS.