AT-001 – Training and Awareness

Responsible Office: Office of Cybersecurity

Last Review: 08/23/2021

Next Review: 08/23/2023

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To establish security awareness and training controls that protect the confidentiality, integrity, and availability of UTHSC’s Information Resources and provide users with appropriate awareness security requirements and their responsibilities to protect information resources and systems.

Scope

This standard applies to members of the UTHSC workforce.

Definitions

Awareness, Training, and Education Controls (AT) – include (1) awareness programs which set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure, and (2) training which teaches people the skills that will enable them to perform their jobs more effectively

Learning Management System (LMS) – a software application for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs.

Responsibilities

Chief Information Security Officer (CISO) is responsible for providing strategy and direction for assessment, planning, and implementation of all security standards, practices, and ensuring compliance to same.

Office of Cybersecurity is responsible for building the training curriculum for any given year and/or group.

System Owners / Department Heads are responsible to ensure that the part of the UTHSC workforce that report to them complete training in a timely manner.

Workforce is any employee, faculty and staff, that has been assigned training is required to complete the training in the time allowed to do so.

Learning Management System (LMS) administrators are responsible for establishing courses and enroll the workforce in the appropriate training, maintaining the availability of the LMS for people to take the training, and maintaining completion logs.

Standard

All members of the UTHSC Workforce shall receive targeted security training to the extent that it applies to their specific job duties. This education process shall be done in compliance with the UTSA Security Awareness, Training, and Education Policy [IT0123].

  1. Information Security Training is mandatory.
  2. Information Security Training will be performed annually.
  3. Users shall not have unsupervised access to UTHSC data or information with a classification rating of 3 in any area until they have received appropriate orientation and education as determined the user’s supervisor.
  4. The topics of the security training will be selected and adapted based upon the users’ role. Additional topics may be addressed at the discretion of the specific areas of the UTHSC. These topics are documented in Procedure-InfoSec-AT-001.03-UTHSC Information Security Training.
  5. Failure to complete the Information Security training per this Standard is considered an Information Security violation per GP-001.04-Information Security Violations resulting in sanctions that include termination of UTHSC network access.
  6. Annual training will be located in the UT System Administration’s LMS, K@TE for all employees. Those that cannot be licensed in K@TE will have training established in UTHSC’s LMS, Blackboard.

References

UTSA Security Awareness, Training, and Education Policy [IT0123]

  1. GP-001.04-Information Security Violations
  2. GP-002-Data & System Classification