University of Florida Information Technology Security Policies
General Rules
All UF IT security measures must comply with federal and state laws, university rules and policies, and the terms of applicable contracts including software licenses. Examples of applicable laws, rules and policies include the laws of libel, privacy, copyright, trademark, obscenity and child pornography; the Florida Computer Crimes Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which prohibit "hacking," "cracking" and similar activities; the university's Student Code of Conduct; the university's Sexual Harassment Policy. IT workers with questions as to how the various laws, rules and resolutions may apply to a particular use of university computing resources should contact the Office of the General Counsel or their appropriate legal services for more information.
Security has the potential to impact usability. Where usability and security seem to be in conflict, IT workers must coordinate with their Level 2 Unit ISA and Unit ISM to implement a solution that enables all users to reliably perform their essential University job functions in the most secure manner consistent with applicable laws, policies, standards, and procedures. Units are expected to provide careful oversight to ensure that a balance between security and productivity is maintained. Ideally, responsibility for security management and for day-to-day operation are assigned to different individuals of equal authority. Security managers should not be subordinate to managers of day-to-day operation.
Requests for exceptions to this charter must be submitted in writing by the Level 2 Unit ISM to the Information Technology Advisory Committee on Information Security Management (ITAC-ISM) for review. The UF ISM will respond to all requests for exceptions in writing.
These policies will be reviewed and updated by ITAC-ISM as needed, but at a minimum every three years.
Policies
- The confidentiality, integrity and availability of UF IT resources must be ensured. However, availability of IT resources may be temporarily suspended, blocked or restricted when it is reasonably necessary to protect UF IT resources or liability.
- All IT workers must be aware of the duties and responsibilities of their position with respect to IT security, and comply with all applicable laws, policies, standards, and procedures.
- An auditing system must be in place to identify use of UF IT resources.
- UF IT resources must be protected from unauthorized access.
- All IT resources must be made as robust against unauthorized use or attack as possible, consistent with providing necessary services.
- The security implications of all changes to IT resources must be considered.
- Security incidents impacting confidentiality, integrity or availability of IT resources must be investigated, documented, reported and resolved in a timely manner.
- A plan must be documented for the recovery from incidents impacting confidentiality, integrity, or availability of IT resources.
