IT0123 – Security Awareness, Training, and Education

Effective: October 1, 2014
Revision No: 2

To establish policy for maintaining the security skills of the University's users, IT personnel, and security staff.


Applicability and Scope

This policy applies to University of Tennessee System, inclusive of each campus and institute. For the sake of brevity, “campus” refers to campuses, institutes, and UT System Administration.


  1. Each campus must develop plans and procedures to ensure that:
      1. Users and IT personnel receive role-based security training that is planned, implemented, maintained, and accompanied by evaluation.
      2. Employees and contractors working with systems classified (as defined in IT policy IT0115) as “MODERATE” or “HIGH” are adequately trained to fulfill their security responsibilities prior to system access.
      3. Employees and contractors complete mandatory refresher information security training appropriate to their individual level of responsibility at a time determined by the campus, and their security knowledge be periodically assessed.
      4. Security training and professional development be documented for credit in accordance with UT policy HR0128.
      5. Information security training and awareness will be used in the evaluation of personnel performance.
      6. Users have easy access to security policies, procedures, and rules of behavior for information systems.
      7. University officials be fully informed of the IT security directives, policies, procedures, etc. with which they must comply in order to carry out the University's mission.

    2. Campus information security metrics must include:

      1. Tracking of security training and awareness program participation;
      2. Periodic Feedback to management.

    Effective Date

    This Policy is effective October 1, 2014.

    Last Review Date

    This Policy was last reviewed September 10, 2014.


    NIST 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”
    NIST 800-50 “Building an Information Technology Security Awareness and Training Program”
    NIST 800-16 “A Role-Based Model for Federal Information Technology / Cyber Security Training”

↑ Back to Top