7.5.14 Security Awareness and Training
A. Purpose
To describe the requirements for ensuring each user of University Information Resources receives adequate training on computer security issues.
B. Persons Affected
All individuals that use any University of Texas at Tyler (the "University") Information Resources.
C. Definitions
- Information Resources (IR) - Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, Network Infrastructure, personal computers, notebook computers, hand-held computers, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
- Information Technology - The University department responsible for computers, networking and data management.
- Information Security Officer (ISO) - Responsible to executive management for administering the information security functions within the University. The ISO is theUniversity's internal and external point of contact for all information security matters.
D. Policy
Understanding the importance of computer security and individual responsibilities and accountability for computer security are paramount to achieving University security goals. This can be accomplished with a combination of general computer security awareness training and targeted, product specific, training. The security awareness and training information will be continuously upgraded and reinforced.
Security Awareness and Training
- All new users must complete approved Security Awareness training prior to, or at least within thirty (30) days of, being granted access to any University IR. Preferably, this will be accomplished during New Employee Orientation.
- All users must sign an acknowledgement stating they have read and understand University requirements regarding computer security policies and procedures. The format for acknowledgement is the IR Acceptable Use Policy.
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with sufficient training and supporting reference materials to allow them to properly protect University IR.
- The ISO must define and publish a University Information Security Program that includes the information security program elements required and associated metrics. Specific information security policies and procedures will be published in the University Institutional Handbook of Operating Procedures (IHOP).
- All users must complete an annual computer security compliance education session and pass the associated examination.
- The ISO will develop and maintain a communications process to be able to communicate new computer security program information, security bulletin information, and security items of interest.
- Owners and Custodians should receive periodic training addressing the responsibilities associated with their roles. Method of delivery and scheduling of such training should be determined by the ISO.
- Owners and Custodians must provide, based on role, appropriate technical training equivalent to current industry standards for Information Security Administrators and employees providing Information Technology help-desk or technical support for IR under their authority.
Technical Support Training
Owners and Custodians must provide for appropriate technical training equivalent to current industry standards to Information Security Administrators and employees providing information technology help-desk or technical support to IR under their responsibility.
Disciplinary Actions
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University IR access privileges, civil, and criminal prosecution.
E. References
UTS165 Information Resources Use and Security Policy
http://www.utsystem.edu/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policy
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 12/2021
AMENDED: 05/2023