Skip to Main Content
Information Technology Services

Standard 3: Information Security Program

  1. UNF must establish and maintain an information security program that includes appropriate protections, based on risk, for all information resources including outsourced resources, owned, leased, or under the custodianship of any governing body or department, operating unit, or employee of the University.
  2. Information Security Program. Each information security program must include and document the following:
    1. annual risk assessment;
    2. current inventory of
      1. institution-owned or managed computing devices deployed throughout the institution, and
      2. Mission-critical applications and applications containing confidential data;
    3. strategies to address identified risks to mission-critical information resources and confidential data;
    4. annual action plan, training plan, and monitoring plan; and
    5. metrics, reports, and timelines established by UNF IT Security.
  3. Information Security Program Exceptions. The owner of the information resource must work with the UNF Chief Information Security Officer and must document and justify any exceptions to specific program requirements in accordance with requirements and processes defined in Standard 22 - Security Exceptions.