skip to main content columnskip to left navigation

Information Security

Information Technology Services

Tactical Plan


This plan outlines and further breaks down the necessary steps for implementing East Tennessee State University’s Information Security Strategic Plan over the next five years. It identifies the minimum set of required high level steps needed to accomplish each strategic goal. It attempts to identify university stakeholders associated with each high-level unit of effort. Finally, it provides strategic goals’ dependencies which may affect the overall implementation timeline. Contrary to the Information Security Strategic plan, this is a dynamic plan, and is likely to require periodic reviews.


Figure 1 – Information Security Strategic Plan

List Icon Plan

The plan phase aims at setting an industry accepted standard-based information security baseline and minimum requirements for implementing ETSU’s information security program.

Goal 1: Identify, approve and promote a best practice IT security standard.

100% Complete


  1. Select and promote an IT security Standard.
  2. Seek approval from university stakeholders.

Stakeholders: CISO, HCO and IT Internal Auditor, IT Security Subcommittee, IT Governance.
Estimated completion time: 3-6 months.
Goal dependencies: None.

 Goal 2: Develop, approve and promote a comprehensive set of IT security policies.

5% Complete
  1. Develop policies based on the approved IT security standard.
  2. Seek feedback and approval from university stakeholders.
  3. Publish policies for public comment when appropriate.
  4. Seek approval from the board of regents when appropriate.
  5. Post policies on university website.
  6. Implement technical and management controls based on the approved policies.

Stakeholders: CISO, HCO, ITS staff, IT Internal Auditor, IT Security Subcommittee, IT Governance.
Estimated completion time: 3-5 years.
Goal dependencies: Goal 1.

magic wand icon Enhance

The enhance phase identifies potential risks in critical business functions and provides actionable plans to reduce the risk to an acceptable level. In this phase, the university is focusing on attack prediction, exposure prevention, breach detection and incident response through continuous monitoring and data analytics.


Figure 2 – Measureable continuous cyber improvement process

Goal 3: Implement a formal risk and contingency management program.

0% Complete
  1. Select a BIA model that best fit the university timeline and resources.
  2. Identify critical business units for a BIA.
  3. Develop a BIA for the selected business units.

    Stakeholders: CISO, CIO, ITS staff, business critical units.
    Estimated completion time: 2-3 years.
    Goal dependencies: None.

  4. Conduct a risk assessment for the mission essential functions and processes, critical systems, and sensitive information identified in the BIA

    Stakeholders: CISO, CIO, ITS staff, business critical units.
    Estimated completion time: 1-2 years.
    Goal dependencies: BIA completed.

  5. Develop a DRP for the university data center(s) and core network infrastructure.

    Stakeholders: CISO, CIO, ITS staff, business critical units.
    Estimated completion time: 1-2 years.
    Goal dependencies: None.

  6. Develop a Continuity of Operation Plan (COOP) with the business-critical units.

    Stakeholders: CISO, CIO, ITS staff, business critical units.
    Estimated completion time: 1-2 years.
    Goal dependencies: None.

 Goal 4: Inventory and classify sensitive systems and data.

0% Complete
  1. Select a system and data discovery model that best fit the university timeline and resources.
  2. Discover and inventory sensitive systems and data.
  3. Work with data owners to provide a data classification matrix for the discovered data.
  4. Distribute the data classification matrix to each stakeholder and revise relevant policies.

Stakeholders: CISO, CIO, HCO, data owners.
Estimated completion time: 3-5 years.
Goal dependencies: None.

 Goal 5: Establish a broad information security educational and training program.

0% Complete
  1. Research in-house vs. commercial information security awareness training options.
  2. Map training solution with requirements from the security awareness training policy.
  3. Select and implement an information security awareness training program.
  4. Use metrics to continuously improve the training program and material.

Stakeholders: CISO, HCO, IT Internal Auditor, ITS staff.
Estimated completion time: 2-3 years.
Goal dependencies: Goal 2, information security awareness training policy.

bar chart icon Monitor

The monitor phase provides metrics to identify gaps in the information security program. The program is assessed for continued alignment with university goals and to ensure it is operating within the university’s risk appetite. Security vs. usability is also assessed in this phase to provide an adequate balance between risk reduction and ease of doing business.

Goal 6: Align University governance and IT to support information security and risk reduction.

10% Complete
  1. Monitor the makeup, effectiveness, and outcomes of current IT security governance.
  2. Research and re-align as needed IT security governance structure and efforts.
  3. Monitor information security efforts and outcomes with tools and metrics.
  4. Determine the need for additional information security support.

Stakeholders: CISO, CIO.
Estimated completion time: 3-5 years.
Goal dependencies: None.

 Goal 7: Establish a process for regular progress reporting.

100% Complete
  1. Build a website to aggregate information security information and efforts.
  2. Post the IT Security Strategic and Tactical plans on the web.
  3. Post approved university information security policies.
  4. Provide updates on the progress of this plan.

Stakeholders: CISO.
Estimated completion time: 6-9 months.
Goal dependencies: None.

icons from font awesome

icon for left menu icon for right menu