Objective:

To align University of Tennessee at Chattanooga (UTC) standards of practice with University of Tennessee System-wide policy for developing, maintaining and documenting a Personnel Security program.

Scope:

This program applies but is not limited to employees, contractors, agents, and representatives accessing, using, or handling UTC information technology resources.

Principles:

This document is a UTC-specific Standard based on University System-wide policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources.

The Chief Information Officer (CIO) is the Position of Authority (POA) for Information Technology at UTC and responsible for IT security at the University of Tennessee Chattanooga.

Responsibilities:

1. The CIO has overall responsibility of the Personnel Security(PS) program at UTC and ensures:
   1. The program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy.
   2. The program is reviewed and updated annually.
2. The Chief Information Security Officer (CISO) is responsible for overseeing the Personnel Security program and consulting system owners to ensure effective procedures are implemented.
3. System owners/Managers are responsible for ensuring their staff reads and understands the following Standard.

Standard:

1. All critical business systems having mission-essential functions are included in UTC’s Personnel Security program.
2. Managers must:
   1. For Onboarding: Ensure appropriate background checks are performed by HR before hiring and access is granted to any system categorized as Moderate or High impact.
   2. For Terminations orTransfers:
      1. Notify HR immediately.
      2. Perform these procedures due to the cost to the university of non-timely notifications of transfers or terminations, the risk to systems, exposure of sensitive information and negative impact on UTC’s reputation should there be a compromise of any system or information.
      3. Retrieve all University system-related information and property.
      4. Disable information system access and the revoke any credentials associated with the individual.
   3. Ensure Third-Party security. All security precautions prescribed for employee onboarding, termination and transfer must be taken when 3rd-Parties are engaged for system support.
3. Non-compliance with information security policies is addressed appropriately as in University of Tennessee Policy HR0525 – Disciplinary Action.

References:

IT0130 – Personnel Security