Standard 1: Information Resource Security Responsibilities and Accountability

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

Designation of responsibility. The University of North Florida (UNF) must have designated and documented roles and responsibilities for the information security function.

The Chief Information Officer (CIO) shall:
1. Ensure the University's compliance with this policy and associated standards;
2. Designate an individual to serve as the UNF Chief Information Security Officer (CISO) who:
  1. Shall report to executive level management;
  2. Has authority for information security for the entire University;
  3. Possesses training and experience required to administer the functions described herein;
Information resource owners and data under their authority shall:
1. Grant access to information systems and data;
2. Conduct risk assessments that identify the information resources under their authority and the level of risk associated with the information resources and the vulnerabilities, if any, to the UNF information security environment;
3. Control and monitor access to data based on data sensitivity and risk;
4. Classify data based on Standard 9 - Data Classification;
5. Ensure that data is securely backed up in accordance with risk management decisions;
6. Ensure that data is maintained in accordance with the applicable University records retention schedule and procedures;
7. Provide documented permission and justification for any user who is to store internal use or sensitive University data on a portable computing device or a non-University owned computing device;
8. Ensure that high risk computing devices and internal use or sensitive data are encrypted in accordance with requirements specified in Standard 11 - Safeguarding Data;
9. Ensure that information resources under their authority are administered by qualified information resource custodians;
10. Ensure that a risk assessment is performed prior to purchase of any software that has not been previously assessed by the University for use under similar circumstances;
11. Ensure that a third-party risk assessment is performed prior to purchase of vendor services that involve hosting or accessing University data; and
12. Ensure that contracts involving products or services that impact information resources contain information security language appropriate to the risk.
13. Adopt a disaster recovery plan for information resources and ensure testing is performed in accordance with the requirements of Standard 6 - Backup and Disaster Recovery.
Department heads and lead researchers shall classify and appropriately secure data under their control including data held in relation to subcontracts for projects in which the prime award is at another University or agency.
Information resource custodians shall:
1. Implement approved risk mitigation strategies and adhere to information security Policies and Procedures to manage risk levels for information resources under their care;
2. Implement monitoring controls for detecting and reporting incidents;
3. Control and monitor access to information resources under the custodian's care based on sensitivity and risk;
4. Implement and adhere to approved University change management processes to ensure secure, reliable, and stable operations specified in Standard 7 - Change Management;
5. Encrypt high risk computing devices, internal use and sensitive data in accordance with requirements specified in Standard 11 - Safeguarding Data;
6. Provide appropriate technical training to employees providing information technology, security, help desk, or technical support for information resources under their responsibility; and
7. Ensure that technical staff under their authority are qualified to perform their assigned duties.
Information security administrators shall:
1. Implement and comply with all IT policies and procedures relating to assigned information systems;
2. Assist owners in performing annual information security risk assessments;
3. Report computing and security incidents to the UNF CISO;
4. Assist the UNF CISO in developing, implementing, and monitoring the information security program, and in establishing reporting guidance, metrics, and timelines for the UNF CISO to monitor effectiveness of security strategies; and
5. Report at least annually to the UNF CISO about the status and effectiveness of information resources security controls.
University office with designated responsibility for account management. Each office within UNF responsible for account management shall manage accounts in accordance with this policy and all other applicable UNF information security policies, standards, and procedures.
Assistant Director, Network Engineering shall:
1. Configure and manage network resources in accordance with this policy and all other applicable UNF information security policies, standards, and procedures;
2. Segment the UNF network physically or logically to reduce the scope of potential exposure of information resources in the event of a security incident;
3. Separate Internet facing applications from internal applications;
4. Maintain appropriate access to the network infrastructure in accordance with this policy and all other applicable UNF information security policies, standards, and procedures;
5. Manage, test, and update operating systems and applications for network equipment; and
6. Approve all access methods, installation of all network hardware connected to the campus network and methods and requirements for attachment of any Non-UNF owned computer systems or devices to the UNF network.
Users shall:
1. All users must comply with this policy. Users who fail to comply are subject to disciplinary action in accordance with University disciplinary actions.
2. All users who are University employees, including student employees, or who are otherwise serving as an agent or are working on behalf of the University, must formally acknowledge and comply with the University's Acceptable Use Policy as directed in Standard 2 - Acceptable Use of Information Resources.