Objective:

To align University of Tennessee at Chattanooga (UTC) standards of practice with University of Tennessee System-wide policy for developing, maintaining and documenting an IT Security Awareness, Training and Education program for the UTC workforce.

Scope:

This program applies to the UTC Workforce which includes all staff, contractors, and student employees who connect to the UTC network via wired or wireless devices.

Principles:

This document is a UTC-specific Standard based on University System-wide policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources.

The Chief Information Officer (CIO) is the Position of Authority (POA) for Information

Technology at UTC and responsible for IT security at the University of Tennessee Chattanooga.

Responsibilities:

1. The CIO has overall responsibility of the IT Security Awareness, Training and Education (AT) program at UTC and ensures:
   1. The training program is developed, documented, and disseminated in accordance with University policy.
   2. All Executives, senior managers and department heads are informed of the training program status.
   3. The program is reviewed and updated annually.
2. The Chief Information Security Officer (CISO) is responsible for overseeing the Security Awareness, Training and Education program and consulting system owners to ensure effective procedures are implemented.
3. Workforce members are responsible for adhering to this Standard for their respective system(s).

Standard:

1. All UTC faculty, staff, student employees, and affiliates who connect to the UTC network via wired or wireless devices will be designated as members of the UTC Workforce.
2. Participation in the Security Awareness, Training, and Education Program may be used in the evaluation of personnel performance.
3. The Chief Information Security Officer (CISO) ensures.
   1. The UTC workforce has been designated.
   2. An effective role-based Security Awareness, Training & Education program is offered to all faculty, staff, students and affiliates.
   3. Tracking and reporting mechanisms are in place and records are maintained.
   4. Awareness and training material is reviewed and updated periodically.
   5. Personnel with significant security responsibilities are sufficiently trained.
   6. There is a feedback process for the awareness and training program.
4. UTC Workforce members:
   1. Who are new to the workforce will complete the assigned training as soon as possible after hiring.
   2. Will be assigned refresher Security Awareness training annually.
   3. Will be notified of annual awareness training completion status, and members who do not complete the training by the required date may lose access to “MODERATE” or “HIGH” mission-essential systems.
   4. Will be offered appropriate role-based IT Security training annually.
   5. Receive credit for completing training, which will be reflected in their professional development record.

References:

IT0123 – Security Awareness, Training, and Education