Hello, everyone.

As the end of the year is quickly approaching, I want to let you know about a new security requirement for Institute-owned and University-owned Windows computers. I also want to give you some important information about UTIA IT Security Standards and Procedures for 2025. And I am including one final newsletter reminder about the IT Security Awareness training.

New Security Initiative Announcement

• BitLocker Requirement
  • As a part of the many new security initiatives that have been implemented and are still being implemented, we will be requiring the use of BitLocker on all Institute-owned and University-owned computers.
  • BitLocker is a Windows security feature that provides encryption, addressing the threat of data theft or exposure from lost or stolen devices.
  • BitLocker also makes data inaccessible when a BitLocker-protected device is decommissioned or recycled, but had not been properly wiped first.
  • BitLocker has been available since March and almost 49% of managed devices are already running BitLocker.
  • For the remainder of devices, the rollout will take place from December 16, 2024 – January 21, 2025.
  • During this time, you will receive a prompt to opt in or skip for now and enable notifications at a more convenient time.
  • Please keep in mind that if you do not opt in by January 21, UTK’s OIT will enroll any remaining Windows computers on January 22.
  • However, if you are already using third-party encryption for your Windows computer, please let me know as soon as possible.
  • If you are with the College of Veterinary Medicine, CVM Computer Support has been working to address this.
  • To learn more about BitLocker, including how to obtain BitLocker recovery keys, please read Intune Configuration Policy Change: BitLocker Required for All Windows Computers.

Policy Changes Ahead for 2025

• UTIA IT Security Standards
  • You may remember me mentioning not long ago that there are changes coming to UTIA policies, particularly IT security policies.
  • UT has decided (again) that only UT System Administration (UTSA) can have actual policies, while each campus and institute must have standards and procedures.
  • A policy is a high-level, or general, statement that set expectations for an organization.
  • Policies are mandatory and apply to everyone in the organization.
  • A standard is a specific set of rules that explain how to follow a policy.
  • Standards must be at least as strong as the policies they cover, but each campus and institute may have specific items that may be stronger than the policies.
  • Standards are also mandatory at UTIA, as they are based on system policies.
  • Procedures are simply instructions on how standards are to be implemented.
  • Most standards will not need a separate set of procedures, but there may be a few standards that may need a more detailed procedural document.
  • The new policies, standards, and procedures will be based security controls found in the Center for Internet Security (CIS) Framework, instead of the National Institute of Standards and Technology (NIST) Cybersecurity Framework we have been using over the past several years.
  • Some specific state, federal, and industry requirements may require controls from multiple frameworks and I will reference what is being used where possible.
  • Moving forward I will be creating and maintaining these standards and procedures, just as I did the policies.
  • I will reassemble the UTIA Security Advisory Committee (SAC) to meet for discussions of any new standards and procedures, as well as when updates are made.
  • As in the past, the SAC will work with the areas they are representing to make sure there are no concerns.
  • I will then send to the UTIA Executive Committee for review before the standards are approved by Dr. Keith Carver, UTIA Senior Vice Chancellor & Senior Vice President; Angela Gibson, UTIA Chief Information Officer; and me, UTIA Chief Information Security Officer.
  • I will continue to keep you updated by sending information in the newsletters when a new/updated standard or procedure is available.

Important Reminder

• IT Security Awareness Training
  • I promise this is the last time I remind you of this in a newsletter this year!
  • If you have been assigned training, this is a reminder to complete that training before the end of the year.
  • The IT Security Awareness training is required of all UTIA workforce, which includes certain student employees, on an annual basis.
  • The IT Security Awareness training is part of the 2024-2025 UTK Compliance training, as assigned by UTK HR.
  • Assignment and reminder emails will come from the UTK Compliance Committee noreply[@]utk.edu, and UTIA HR staff members have been sending reminders to supervisors about the 2024-2025 UTK Compliance training.
  • As in the past, any user not completing the IT Security Awareness module by the deadline will lose access to all Institute-owned and University-owned systems until the training has been completed.
  • If you have been assigned this training, you can find it by logging into K@TE https://kate.tennessee.edu and it will be listed under “My Active Courses”.
  • This newsletter goes out to those on the UTIA distribution list, along with some other specific distribution lists, so it is possible you do not have training assigned, but if you aren’t sure, please send me an email and I will look for you.
  • While the deadline has been set for 12/31/2024, I highly recommend that you complete it before then to ensure you get the proper credit due to DASH implementation happening at the first of the year.

Thank you so much for all you do to help protect the Institute and its data. I appreciate the time, effort, and questions everyone contributes to making sure we stay safe!

Sandy