IT0123 – Security Awareness, Training, and Education

Effective: October 1, 2014
Revision No: 3

To establish policy for maintaining the security skills of the University's users, IT personnel, and security staff.


This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee including its campuses, institutes, and administration (University and/or Campuses).

“Users” includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University’s information technology resources.

Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties.


The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series of publications, and this policy is based on those guidelines.

The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority).  The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus.

Each Campus must develop or adopt and adhere to a program that demonstrates compliance with this policy and related standards.  This program is the responsibility of the Position of Authority.

A Campus may apply more stringent requirements than those documented in this policy provided they do not conflict with or lower the standards or requirements established by this or any other University policy.

Each User of University resources is required to be familiar and comply with University policies.  Acceptance of this policy is assumed if a User accesses, uses, or handles University IT resources.


Each of the University’s Campuses must develop or adopt and adhere to a formal, documented Security Awareness and Training program for University information systems users, and facilitate appropriate training controls.

Mandatory Controls:

Mandatory security controls are University-wide controls that are required to be consistently designed, implemented, monitored, and assessed by all Campuses.  Each Campus must develop, document, and maintain a Security Awareness and Training program that includes:

  • Basic Security Awareness Training (AT-2): Basic security awareness training as a part of initial training for new users, when it is required by information system changes, and annually thereafter.
  • Role-based Security Training (AT-3): Each Campus must provide role-based security training to personnel with assigned security responsibilities before authorizing access to the information system or performing assigned duties, when required by information system changes, and annually thereafter.
  • Security Training Records (AT-4): Each campus must document and monitor individual information system user security training activities.

Discretionary Controls: 

Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component.  Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component.  Discretionary controls must not conflict with or lower the standards established by Mandatory Controls.


  • NIST 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”
  • NIST 800-50 “Building an Information Technology Security Awareness and Training Program”
  • NIST 800-16 “A Role-Based Model for Federal Information Technology / Cyber Security Training”

Last Reviewed:

January 11, 2017

↑ Back to Top