IT0506-HSC-A.04 Personnel Security

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho


Phone: 901.448.1579


Email: mmadeksh@uthsc.edu

Purpose

To ensure that the University of Tennessee Health Science Center (UTHSC) Information Technology (IT) Resources are protected from the adverse actions of personnel.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This Standard applies to all employees, contractors, members, users, and third parties who access, use, or support UTHSC Information Technology Resources, regardless of physical location.

Definitions

UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.

Information Technology System (System) – A discrete set of information technology Assets organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Data. A System is defined based on functionality, a specific process, or specific duty more so than a specific hardware or software solution.

Insider Threat – The threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems.

Responsibilities

Office of Cybersecurity is responsible for the daily monitoring of specific systems, i.e. firewalls, endpoint detection and response (EDR) application, data loss prevention (DLP) tools, email environment, and others, to track activity in the UTHSC environment.

System owners or delegates are responsible for maintaining an inventory of individuals who have access to their systems and at what level of authorization, i.e. admin or privileged access.

UTHSC Human Resources is responsible for the policies and procedures used in onboarding and termination due to non-compliance.

Standard

  1. UTHSC shall take actions to ensure that UTHSC IT Resources are protected from the adverse actions of employees, contractors, members, users, and third parties who access, use, or support UTHSC IT Resources, regardless of physical location, unless an exception is granted.
  2. For new employees, contractors, interns, members, friends, students, or volunteers (aka users):
  3. Roles and responsibilities within the UTHSC Information Security Program are defined, documented, and communicated.
  4. If appropriate, a Confidentiality Agreement shall be signed before access is granted to UTHSC data or information with a level 2 categorization per IT0005-HSC-A-Data & System Categorization.
  5. Appropriate training for the individual is made available in a timely fashion.
  6. Reassignment of employment or role:
  7. All University security/system-related information and property pertaining to the previous assignment are retrieved.
  8. All access and credentials to UTHSC IT Resources are reviewed and terminated, changed, or granted as appropriate for the reassignment.
  9. Terminate/revoke any credentials associated with the individual pertaining to the previous assignment.
  10. If appropriate, a Confidentiality Agreement shall be signed before access is granted to UTHSC data or information with a level 2 categorization.
  11. Roles and responsibilities within the UTHSC Information Security Program are defined, documented, and communicated.
  12. Appropriate training for the individual is made available in a timely fashion.
  13. Separation of employment or role:
  14. Retrieve all pertinent University security/system-related information and property.
  15. Disable access to UTHSC IT Resources no longer required upon separation per IT0506-HSC-A.02-NetID Account Management.
  16. Terminate/revoke appropriate credentials associated with the individual.
  17. Exceptions to this Practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls.
  18. Non-compliance with UTHSC policies is addressed appropriately as outlined in  UTSA Human Resources Policy HR0525.

Policy History

Version #
Effective Date
1
03/17/2016
3
04/17/2020
4
05/21/221
5
05/22/2023
6
07/27/2023
7
03/01/2025 – new naming convention

References

  1. IT0506-Information Technology Account and Credential Management
  2. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
  3. IT0005-HSC-A-Data & System Categorization
  4. IT0506-HSC-A.02-NetID Account Management
  5. UTSA Human Resources Policy HR0525

IT0506-HSC-A.04 Personnel Security
Version: 7 // Effective: 04/07/2020
PDF icon Downloadable PDF

Related Policies: