Responsible Office: Office of Cybersecurity | Last Review: 08/23/2021 Next Review: 08/23/2023 |
Contact: Chris Madeksho | Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
To establish security awareness and training controls that protect the confidentiality, integrity, and availability of UTHSC’s Information Resources and provide users with appropriate awareness security requirements and their responsibilities to protect information resources and systems.
Scope
This standard applies to members of the UTHSC workforce.
Definitions
Awareness, Training, and Education Controls (AT) – include (1) awareness programs which set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure, and (2) training which teaches people the skills that will enable them to perform their jobs more effectively
Learning Management System (LMS) – a software application for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs.
Responsibilities
Chief Information Security Officer (CISO) is responsible for providing strategy and direction for assessment, planning, and implementation of all security standards, practices, and ensuring compliance to same.
Office of Cybersecurity is responsible for building the training curriculum for any given year and/or group.
System Owners / Department Heads are responsible to ensure that the part of the UTHSC workforce that report to them complete training in a timely manner.
Workforce is any employee, faculty and staff, that has been assigned training is required to complete the training in the time allowed to do so.
Learning Management System (LMS) administrators are responsible for establishing courses and enroll the workforce in the appropriate training, maintaining the availability of the LMS for people to take the training, and maintaining completion logs.
Standard
All members of the UTHSC Workforce shall receive targeted security training to the extent that it applies to their specific job duties. This education process shall be done in compliance with the UTSA Security Awareness, Training, and Education Policy [IT0123].
- Information Security Training is mandatory.
- Information Security Training will be performed annually.
- Users shall not have unsupervised access to UTHSC data or information with a classification rating of 3 in any area until they have received appropriate orientation and education as determined the user’s supervisor.
- The topics of the security training will be selected and adapted based upon the users’ role. Additional topics may be addressed at the discretion of the specific areas of the UTHSC. These topics are documented in Procedure-InfoSec-AT-001.03-UTHSC Information Security Training.
- Failure to complete the Information Security training per this Standard is considered an Information Security violation per GP-001.04-Information Security Violations resulting in sanctions that include termination of UTHSC network access.
- Annual training will be located in the UT System Administration’s LMS, K@TE for all employees. Those that cannot be licensed in K@TE will have training established in UTHSC’s LMS, Blackboard.
References
UTSA Security Awareness, Training, and Education Policy [IT0123]
- GP-001.04-Information Security Violations
- GP-002-Data & System Classification
AT-001 – Training and Awareness
Version: 6 // Effective: 04/15/2016
Downloadable PDF
Related Procedures:
GP-001.04 – Information Security Violations
GP-002 – Data & System Classification
AT-001-.02 – Refresher InfoSec Training Course
AT-001.01 – New Employee InfoSec Training
