Information Technology Security Policy
| Links | ||
|
Introduction
As part of its educational mission, the University of Florida acquires, develops, and maintains data and information, computers, computer systems and networks. These information technology (IT) resources are intended for university related purposes, including direct and indirect support of the university's instruction, research and service missions; university administrative functions; student and campus life activities; and the free exchange of ideas within the university community and among the university community and the wider local, national, and world communities.
This policy applies to all people who maintain or manage university
IT resources, their supervisors, and their unit administrators.
It applies to all locations of those resources, whether on campus
or from remote locations. This policy is intended to help protect
data confidentiality, integrity, availability, accountability,
and assurance. Additional policies may govern specific data,
computers, computer systems or networks provided or operated by
all specific UF and subsidiary units of the university.
General Rules
All IT security measures must comply with federal and state laws, university rules and policies, and the terms of applicable contracts including software licenses. Examples of applicable laws, rules and policies include the laws of libel, privacy, copyright, trademark, obscenity and child pornography; the Florida Computer Crimes Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which prohibit "hacking," "cracking" and similar activities; the university's Student Code of Conduct; the university's Sexual Harassment Policy. IT staff with questions as to how the various laws, rules and resolutions may apply to a particular use of university computing resources should contact the Office of the General Counsel or their appropriate legal services for more information.
Requests for exceptions to this policy must be submitted in writing by the Unit ISM to the OIT Security Committee for review. The UF ISM will respond to all requests for exceptions in writing.
This policy will be reviewed and updated by OIT Security Committee as needed, but at a minimum annually.
UF IT Security Manager (UF ISM)
The UF ISM or a designee is responsible for risk assessment, enterprise network intrusion detection, maintaining Unit ISM contact information, working with Unit ISMs to resolve exposures and reduce potential exposures, the UF security web site, and organizing IT security training events.
Unit IT Security Managers (Unit ISM)
Each unit must appoint an IT security manager. At a minimum, Unit ISMs must be named at the division or college level. While the Unit ISM is responsible to the unit administrative structure, they must be made known to the UF ISM. They are responsible for coordinating security efforts within that unit's organizational hierarchy. The unit ISM, in coordination with the unit administration, has the authority and responsibility to direct action as needed to protect IT resources in their unit. They have authority to enforce UF IT security policies and direct action related to violations.
To ensure professional management of UF IT resources, the Unit ISM must ensure that the unit follows the UF IT Security Procedures (http://www.it.ufl.edu/policies/security/procedures.html) and complies with the UF Security Guidelines (http://www.it.ufl.edu/policies/security/guidelines.html). Users should not manage University of Florida IT resources. Qualified professional IT consultants may be outsourced to manage or maintain unit IT resources. If the unit cannot support an IT professional, they should seek assistance from IT staff in another unit or contact the UF ISM.
The Unit ISM must subscribe to net-managers-l@lists.ufl.edu.
Unmanaged Hosts
The University recognizes that the Unit ISM may not manage personally owned IT resources. Unmanaged hosts include computers and other network-connected devices that are not managed by the unit IT staff. Examples include, but are not limited to personally owned laptops, computers and other devices used in classrooms, at walkups, with wireless, and in housing. Only network access points designated by the Unit ISM may be used by unmanaged hosts. The user of the unmanaged host must comply with the UF Acceptable Use Policy and all other UF policies.
The Unit ISM is responsible for all network access points used by unmanaged hosts, but is not responsible for the hosts themselves. The Unit ISM has the responsibility to be able to identify a user responsible for a given port at any given time. The Unit ISM must be able to instigate disruption of service to the user and/or address. The Unit ISM also has the responsibility to coordinate the notification to the user and ensure that the incident is resolved.
Vendor Managed Hosts
Vendors that manage hosts on the UF network must be informed of this security policy and sign an agreement to comply with it. The Unit ISM must maintain contact information for all vendors managing hosts on their network. Requests for exceptions to this policy must be submitted in writing by the Unit ISM to the OIT Security Committee. The UF ISM will respond to all requests for exceptions in writing.
Establishing Unit Policies and Procedures
All units must have written IT security policies and procedures. The Unit ISM, in cooperation with the unit administration, is responsible for the coordination of IT security policies and procedures. Unit security policies and procedures must be available to the UF ISM upon request. It is the responsibility of all UF and subsidiary units to identify and document all UF IT assets to be protected.
Physical Security
The Unit ISM is responsible for the protection of all IT infrastructure, equipment, and hardware located within their unit. The Unit ISM must document adequate physical security measures for the protection of physical and logical assets, and sensitive applications and data. Unit ISM must identify, document, and implement auditable locks where necessary to secure IT resources in their unit. Where appropriate, campus locations must coordinate with Physical Plant Division (PPD), 392-1411. Where possible, IT resources should be aggregated to reduce the cost of physical security and environmental control.
Authentication, Authorization and Auditability
Units must establish criteria for issuing and revoking accounts. All UF and subsidiary units should establish policy and procedures regarding guest access.
The unit policy must describe minimum authentication requirements, including password restrictions where applicable.
When technically possible, an audit trail must be implemented to track any device connected to the campus network and the associated users. All UF and subsidiary units must maintain logs with accurate time stamps. UF and applicable subsidiary units must maintain logs according to General Records Schedule GS1-S Item 104, which requires that most such records be retained for three years.
Host and Network Security
In cases where stateful packet inspection is used, network firewalls must be documented and coordinated with Network Services.UF and applicable subsidiary Unit ISMs will coordinate the establishment of all external network connections for their unit with Network Services. As every external network connection is potentially an entry point for intruders, Unit ISMs must document all external network connections in their unit, including modems.
Training and Security Awareness
Unit ISMs must ensure that all users within their unit are aware of, have access to, and comply with the UF Acceptable Use Policy. They should help to ensure that all people who maintain or manage IT resources within their unit are aware of, have access to, and comply with UF's Information Technology Security Policy and their Unit IT Security Policy.
Application Development
The Unit ISM has the authority and responsibility to ensure a secure development process and deployment of network computer applications intended for use at the University of Florida for processing financial data, student data, health data, mission critical data, intellectual property or any other data that is sensitive, confidential, or protected by law. It is incumbent upon the developer to demonstrate to the Unit ISM that they follow secure application development guidelines, such as those describe in UF Guidelines to Develop Applications for Secure Deployment
Risk Assessment
The UF ISM will conduct a comprehensive risk analysis of security threats to IT resources for each UF unit at least once every three years.
Incident Response
All UF and subsidiary units must immediately notify the UF ISM of security incidents in their unit involving threats to other IT resources. UF and applicable subsidiary unit ISMs must immediately notify the UF ISM of security incidents in their unit involving copyright violations or unauthorized privileged access. Law enforcement should be notified of incidents involving threat to property or life, damages in excess of $10,000, or child pornography. UF and applicable subsidiary unit ISMs should consult with the UF General Counsel to determine if law enforcement should be notified. Other incidents should be reported according to the judgment of the Unit ISM.
Virus Protection
It is the responsibility of the designated IT staff to ensure up-to-date virus protection on file and print servers; email, web, and news servers; and workstations.
Software Installations
The Unit ISM has the responsibility to request the removal of software that does not comply with licensing agreements or copyright law, but it is the responsibility of the user to comply with licensing agreements and copyright law as defined in the UF Acceptable Use Policy.
Business Resumption Plan
Each unit must maintain a business resumption plan. There must be written plans detailing procedures for various disaster scenarios, both natural and man made. To guard against disaster, critical IT resources must be preserved against loss or corruption by appropriate backup procedures.
Enforcement
Unit administrators and IT staff who fail to adhere to this policy may be subject to penalties and disciplinary action, both within and outside the university. Violations will be handled through the university disciplinary procedures applicable to the relevant Unit or IT employee. The university may temporarily suspend, block or restrict access to IT resources, IT staff, and/or Units independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of university or other IT resources or to protect the university from liability. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.
