PS-001 – Personnel Security

Responsible Office: Office of Cybersecurity

Last Review: 04/07/2020

Next Review: 04/07/2022

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To ensure that UTHSC IT Resources are protected from the adverse actions of personnel.

Scope

This Standard applies to all employees, contractors, members, users, and third parties who access, use or support UTHSC IT Resources, regardless of physical location.

Standard

  1. UTHSC shall take actions to ensure that UTHSC IT Resources are protected from adverse actions of employees, contractors, members, users, and third parties who access, use or support UTHSC IT Resources, regardless of physical location.
  2. For new employees, contractors, interns, members, friends, students, or volunteers (aka users):
  3. Verify that background checks are completed and documented before access to UTHSC IT Resources is granted.
  4. Roles and responsibilities within the UTHSC Information Security Program are defined, documented, and communicated.
  5. If appropriate, a Confidentiality Agreement shall be signed before access is granted to UTHSC data or information with a classification rating of 3 in any area.
  6. Appropriate training for the individual is made available in a timely fashion.
  7. Reassignment of employment or role:
  8. All University security/system-related information and property pertaining to the previous assignment are retrieved.
  9. All access and credentials to UTHSC IT Resources is reviewed and terminated, changed, or granted as appropriate for the reassignment.
  10. Terminate/revoke any credentials associated with the individual pertaining to the previous assignment.
  11. If appropriate, a Confidentiality Agreement shall be signed before access is granted to UTHSC data or information with a classification rating of 3 in any area.
  12. Roles and responsibilities within the UTHSC Information Security Program are defined, documented, and communicated.
  13. Appropriate training for the individual is made available in a timely fashion.
  14. Separation of employment or role:
  15. Retrieve all pertinent University security/system-related information and property.
  16. Disable access to UTHSC IT Resources no longer required upon separation.
  17. Terminate/revoke appropriate credentials associated with the individual.
  18. Non-compliance with information security policies is addressed appropriately as outlined in Human Resources Policy 0525.

References

  1. UTSA IT Policy [IT0124] Risk Assessment
  2. GP-002-Data & System Classification
  3. Human Resources Policy 0525

PS-001 – Personnel Security
Version: 4 // Effective: 04/07/2020
PDF icon Downloadable PDF

Related Policies: