Responsible Office: Office of Cybersecurity	Last Review: 03/01/2025 Next Review: 03/01/2027
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To establish security awareness and training controls that protect the confidentiality, integrity, and availability of UT Health Science Center’s (UTHSC) Information Resources and provide users with appropriate awareness of security requirements and their responsibilities to protect information resources and systems. This Standard follows CIS Control 14 – Security Awareness and Skills Training.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This standard applies to members of the UTHSC workforce.

Definitions

Awareness, Training, and Education Controls (AT) – include (1) awareness programs that set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure, and (2) training that teaches people the skills that will enable them to perform their jobs more effectively.

Learning Management System (LMS) – a software application for the administration, documentation, tracking, reporting, automation, and delivery of educational courses, training programs, or learning and development programs.

UTHSC Workforce – employees, volunteers, trainees, and other persons who conduct business for UTHSC, whether or not they are paid by UTHSC.

Responsibilities

Chief Information Security Officer (CISO) is responsible for providing strategy and direction for assessment, planning, and implementation of all security standards, and practices, and ensuring compliance to same.

Office of Cybersecurity is responsible for building the training curriculum for any given year and/or group.

System Owners / Department Heads are responsible for ensuring that the part of the UTHSC workforce that reports to them completes training on time.

UTHSC Workforce is responsible for completing any training assigned in the time allowed to do so.

Learning Management System (LMS) administrators are responsible for establishing courses and enrolling the workforce in the appropriate training, maintaining the availability of the LMS for people to take the training, and maintaining completion logs.

Standard

1. All members of the UTHSC Workforce shall receive security awareness training to the extent that it applies to their specific job duties. This education process shall be done in compliance with the IT-0014-Information Technology Security Awareness Training Management policy.
2. Information Security Training is mandatory.
3. The topics of the security training will be selected based on the highest risks to the University. Additional topics may be addressed at the discretion of the specific areas of the UTHSC. This includes administrator training for critical tools, services, or applications that support UTHSC operations or technology.
4. Failure to complete the Information Security training per this Standard is considered an Information Security violation per IT003-HSC-A.04-Information Security Violations resulting in sanctions that include termination of UTHSC network access.
5. Training will be located in the UT System Administration’s LMS, K@TE, for all employees. Those who cannot be licensed in K@TE will have training established in UTHSC’s LMS, Blackboard.
6. Human Resources monitors users’ completion of Information Security Awareness training and other compliance training.

New-Employee Training

During HR Orientation, HR staff will explain Information Security Awareness Training and the requirement to complete the training within the first 30 days of employment.

Annual Refresher Training

Current UTHSC Workforce members are assigned Information Security Awareness Training annually. All employees must complete this training within the timeframe described.

Policy History

References

NIST Glossary of Terms

1. NIST Glossary of Terms
2. IT0014-Information Technology Security Awareness Training Management
3. IT003-HSC-A.04-Information Security Violations