Responsible Office: Office of Cybersecurity	Last Review: 06/26/2023 Next Review: 06/26/2025
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To establish security awareness and training controls that protect the confidentiality, integrity, and availability of UTHSC’s Information Resources and provide users with appropriate awareness security requirements and their responsibilities to protect information resources and systems.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This standard applies to members of the UTHSC workforce.

Definitions

Awareness, Training, and Education Controls (AT) – include (1) awareness programs which set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure, and (2) training which teaches people the skills that will enable them to perform their jobs more effectively.

Learning Management System (LMS) – a software application for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs.

UTHSC Workforce – employees, volunteers, trainees, and other persons who conduct business for UTHSC, whether or not they are paid by UTHSC.

Responsibilities

Chief Information Security Officer (CISO) is responsible for providing strategy and direction for assessment, planning, and implementation of all security standards, practices, and ensuring compliance to same.

Office of Cybersecurity is responsible for building the training curriculum for any given year and/or group.

System Owners / Department Heads are responsible for ensuring that the part of the UTHSC workforce that report to them complete training in a timely manner.

UTHSC Workforce is responsible for completing any training assigned in the time allowed to do so.

Learning Management System (LMS) administrators are responsible for establishing courses and enrolling the workforce in the appropriate training, maintaining the availability of the LMS for people to take the training, and maintaining completion logs.

Standard

1. All members of the UTHSC Workforce shall receive targeted security training to the extent that it applies to their specific job duties. This education process shall be done in compliance with the UTSA Security Awareness, Training, and Education Policy [IT0123].
2. Information Security Training is mandatory.
3. The topics of the security training will be selected based upon the highest risks to the University. Additional topics may be addressed at the discretion of the specific areas of the UTHSC.
4. Failure to complete the Information Security training per this Standard is considered an Information Security violation per GP-001.04-Information Security Violations resulting in sanctions that include termination of UTHSC network access.
5. Training will be located in the UT System Administration’s LMS, K@TE for all employees. Those that cannot be licensed in K@TE will have training established in UTHSC’s LMS, Blackboard.
6. Human Resources monitors users’ completion for Information Security Awareness training and other compliance training.

New-Employee Training

During HR Orientation, HR staff will explain about Information Security Awareness Training and the requirement to complete the training within thirty days of employment.

Annual Refresher Training

Current UTHSC Workforce members are assigned Information Security Awareness Training annually. All employees must complete this training within the timeframe described.

Role-Based Training

Additional annual training is required for workforce members assigned security or administrative responsibilities.

References

1. NIST Glossary of Terms
2. UTSA IT0123 – Security Awareness, Training, and Education
3. GP-001.04-Information Security Violations