OBJECTIVE & PURPOSE:
To define the IT security standards and procedures that safeguards the confidentiality, integrity and availability of all IT systems, data and other resources under the purview of UNF’s Information Technology Services (ITS).
To supplement the current UNF ITS policies, procedures and guidelines as well as comply with all applicable federal and state regulations and policies.
STATEMENT OF PLAN:
The UNF IT Security Plan will apply to all information systems and resources connected to UNF’s networks. The UNF IT Security Plan will also supplement the current UNF ITS policies, procedures and guidelines as well as comply with all applicable Federal, state and local laws, rules and policies
The plan will address the following:
Acquisition- an IT asset/service that is obtained either by purchase and/or lease by the University
Business computer systems - any software package or database that supports a University business function or works in conjunction with other systems that support a business function; most of the mission-critical business functions of the University are maintained by ITS.
Computer Virus- malicious code or program that inserts or attaches itself to a legitimate program or document that to execute its code. A virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.
Covered account - Potentially includes all accounts or loans that are administered by the University.
Covered/Protected Data- sensitive and personal information; can also be referred to as “controlled unclassified information.” Covered data and information includes both paper and electronic records and includes:
Data Classification- process of organizing data into categories for its most effective and efficient use.
Decentralized business computer system- a business computer system that is not maintained by ITS
Export control laws and regulations- governs how certain commodities, information, technical data, technology, technical assistance, and research may be released to U.S. persons outside the U.S. and to foreign persons whether located in the U.S. or outside of the U.S.
Florida Computer Crimes Act- describes the circumstances under which the unauthorized use of computer equipment, services, or accounts may be prosecuted as a misdemeanor of the first degree, felony of the third degree, or felony of the second degree with penalties ranging from 1 to 15 years of imprisonment and fines of $1,000 to $10,000.
Identifying information - Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:
Identity theft- Fraud committed or attempted using the identifying information of another person without authority.
includes network and software design, as well as information processing, storage, transmission, retrieval, and disposal.
Internal Use Data- information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use.
Network Acceptable Use- the use of University resources by the University’s community that is deemed responsible and is within the parameters of Federal, state and local laws, rules and policies.
Password- a secret word or phrase that must be used to gain admission to something (i.e. a computer system)
Property Protection- intent is to capture video and store it on a remote device so that if property is reported stolen or damaged, the video may show the perpetrator.
information that may or must be open to the general public.
Restricted Data- information protected by statutes, regulations, University policies or contractual language.
Red flag- a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Red Flags Rule- created by the Federal Trade Commission; implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.
Risk Assessment- a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
Security Program Manager- the Director of Network, Systems and Security ("Security Manager”). The Security Manager is housed in Information Technology Services and works closely with the Controller, the Registrar, Human Resources, and the Office of General Counsel.
Service Providers- refers to all third parties who, in the ordinary course of University business, are provided access to covered data.
Roles and Responsibilities
Associate Vice President and CIO
Provide strategic direction and planning for the computing and information technology services of the university. Serve as the University’s representative on statewide information technology issues. Responsible for the formulation, development and implementation of policies affecting departments under his/her leadership. Participate on and/or chair a wide range of high-level cross-functional teams and committees. May be responsible for external relations with appropriate groups and stakeholders.
Director of Networking, Systems & Security (NSS)
Responsible for planning, organizing, staffing, directing and controlling all service and support functions within one or more functions areas with the Information Technology department. Exercises leadership in the formulation, development, presentation, and implementation of departmental strategies and objectives relative to campus network systems, and security to ensure departmental goals and objectives met. Recommend budget and expenditures related to the university’s strategic and operational initiatives. Provide recommendations to the Chief Information Officer on technology best practices. Develop and/or supervise the implementation of Information Technology programs, policies & procedures. Serve in an advisory capacity, providing coaching and consultation to NSS staff.
Assistant Director of IT Security
Lead, supervise and manage a team responsible for the development, maintenance, monitoring, and support of an information technology (IT) security framework to protect information resources from inappropriate alteration, physical destruction, and unauthorized access. Monitor threat advisory reports from information security agencies and services. Create and implement procedures for responding to IT security incidents. Assist in the development and implementation of strategies and objectives to ensure departmental goals are met as well as interpret laws, rules, policies & procedures.
IT Security Engineer
Coordinates the collection of media requiring secure data destruction services. Conducts evaluations of security functions and takes actions regarding security issues. Assists with analysis of services and needs; recommends improvements. Installs and manages security systems across the entire network. Conducts security assessment and security audits and manages remediation plans. Creates, manages and maintains user security awareness programs. May interpret departmental policies for area of responsibility.
Senior Security Analyst
Audits systems to ensure data is accurate and up to date. Investigates alerts and follow established procedures to remediate conditions that do not follow approved policies and guidelines. Provides technical assistance and support for incoming information security queries and issues related to computer systems, software, and hardware. Reviews violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated. Manages user access to various third party and hosted applications. Work collaboratively with university staff to ensure program’s success. May interpret departmental policies for area of responsibility.
IT Security Analyst
Audits systems to ensure data is accurate and up to date. Investigates alerts and follow established procedures to remediate conditions that do not follow approved policies and guidelines. Provides technical assistance and support for incoming information security queries and issues related to computer systems, software, and hardware. Reviews violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated. Conduct risk assessments and security audits, and manage remediation plans. Preform network penetration tests. Work collaboratively with university staff to ensure program’s success. Assist in the preparation & delivery of workshops and training programs. May interpret departmental policies for area of responsibility.
University of North Florida IT Security Program
The UNF ITS Security Plan supplements the Official Security Policies, Standards, and Procedures that have been established for the UNF System. This security plan is intended to comply with the regulations and policies set down by the State of Florida, the University of North Florida, FERPA, PCI, HIPAA, the Federal Information Security Management Act (FISMA), and other state and federal regulations.
The UNF IT Security Program’s documentation describes many of the activities the University currently undertakes, and will undertake, to maintain covered data according to legal and University requirements. The Information Security Program document provides an outline of the safeguards that apply to this information. The practices set forth in the document will be carried out by and impact diverse areas of the University.
The Information Security Program has five components: (1) designating an employee or office responsible for coordinating the program; (2) conducting risk assessments to identify reasonably foreseeable security and privacy risks; (3) ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored; (4) overseeing service providers, and (5) maintaining and adjusting the Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.
IT Security Program Manager Designation
The Security Program Manager is responsible for the following:
UNF ITS will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include:
Information Safeguards and Monitoring
The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. The Security Manager will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring will include the following:
The Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.
The Security Manager, by survey or other reasonable means, will identify service providers who are provided access to covered data. The Security Manager will work with the Office of General Counsel, and other offices as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of covered data.
List of Related Policies
Please note this list is not exhaustive and is presented in alphabetical order.
University of North Florida Policies
6.0060P - Campus Security Cameras
6.0220P - Data Classification & Security
6.0070P - Decentralized Business and Networking Systems
1.0130P - Export Control Laws and Regulations - Compliance Policy
4.0030R - Limited Access Personnel Records
6.0050P - Network Acceptable Use
6.0120P - Red Flag Policy
ITS Policies and Procedures
Access to Computing Systems Managed by ITS
Access to Optical Fiber Managed by ITS
Acquisition and Personal Use of Information Technology Equipment and Resources
Florida Computer Crimes Act
Passwords on Computing Systems Managed by ITS
Responsible Use Guidelines
Terminated Employee Information Security Procedures
Copyright © 2017 University of North Florida1 UNF Drive | Jacksonville, FL 32224 | Phone: (904) 620-1000
RegulationsConsumer Information | Disability Accommodations