OBJECTIVE & PURPOSE:
To define the IT security standards and procedures that safeguards the confidentiality, integrity and availability of all IT systems, data and other resources under the purview of UNF's Information Technology Services (ITS).
To supplement the current UNF ITS policies, procedures and guidelines as well as comply with all applicable federal and state regulations and policies.
STATEMENT OF PLAN:
The UNF IT Security Plan will apply to all information systems and resources connected to UNF's networks. The UNF IT Security Plan will also supplement the current UNF ITS policies, procedures and guidelines as well as comply with all applicable Federal, state and local laws, rules and policies
The plan will address the following:
- Definitions of terms used in the UNF IT Security Plan and related documentation
- The roles and responsibilities of individuals and groups at UNF
- Brief overview of the UNF IT Security Program, applicable UNF Policies and applicable UNF ITS Policies
Acquisition- an IT asset/service that is obtained either by purchase and/or lease by the University
Business computer systems - any software package or database that supports a University business function or works in conjunction with other systems that support a business function; most of the mission-critical business functions of the University are maintained by ITS.
Computer Virus- malicious code or program that inserts or attaches itself to a legitimate program or document that to execute its code. A virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.
Covered account - Potentially includes all accounts or loans that are administered by the University.
Covered/Protected Data- sensitive and personal information; can also be referred to as "controlled unclassified information." Covered data and information includes both paper and electronic records and includes:
- Student financial information
- Medical and health insurance information
- Social Security number
- Driver's license number or Identification Card number
- Phone numbers
- Income and credit histories
- Bank account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
- Credit card information
- Other personal information that is not directory information or publicly available Covered data and information includes both paper and electronic records.
Data Classification- process of organizing data into categories for its most effective and efficient use.
Decentralized business computer system- a business computer system that is not maintained by ITS
Export control laws and regulations- governs how certain commodities, information, technical data, technology, technical assistance, and research may be released to U.S. persons outside the U.S. and to foreign persons whether located in the U.S. or outside of the U.S.
Florida Computer Crimes Act- describes the circumstances under which the unauthorized use of computer equipment, services, or accounts may be prosecuted as a misdemeanor of the first degree, felony of the third degree, or felony of the second degree with penalties ranging from 1 to 15 years of imprisonment and fines of $1,000 to $10,000.
Identifying information - Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:
- telephone number
- social security number
- date of birth
- government issued driver's license or identification number
- alien registration number
- government passport number
- employer or taxpayer identification number
- student identification number
- computer's Internet Protocol address, or routing code
Identity theft- Fraud committed or attempted using the identifying information of another person without authority.
Information Systems- includes network and software design, as well as information processing, storage, transmission, retrieval, and disposal.
Internal Use Data- information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use.
Network Acceptable Use- the use of University resources by the University's community that is deemed responsible and is within the parameters of Federal, state and local laws, rules and policies.
Password- a secret word or phrase that must be used to gain admission to something (i.e. a computer system)
Property Protection- intent is to capture video and store it on a remote device so that if property is reported stolen or damaged, the video may show the perpetrator.
Public Data- information that may or must be open to the general public.
Restricted Data- information protected by statutes, regulations, University policies or contractual language.
Red flag- a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Red Flags Rule- created by the Federal Trade Commission; implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.
Risk Assessment- a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
Security Program Manager- the Director of Network, Systems and Security ("Security Manager"). The Security Manager is housed in Information Technology Services and works closely with the Controller, the Registrar, Human Resources, and the Office of General Counsel.
Service Providers- refers to all third parties who, in the ordinary course of University business, are provided access to covered data.
Roles and Responsibilities
Associate Vice President and CIO
Provide strategic direction and planning for the computing and information technology services of the university. Serve as the University's representative on statewide information technology issues. Responsible for the formulation, development and implementation of policies affecting departments under his/her leadership. Participate on and/or chair a wide range of high-level cross-functional teams and committees. May be responsible for external relations with appropriate groups and stakeholders.
Director of Networking, Systems & Security (NSS)
Responsible for planning, organizing, staffing, directing and controlling all service and support functions within one or more functions areas with the Information Technology department. Exercises leadership in the formulation, development, presentation, and implementation of departmental strategies and objectives relative to campus network systems, and security to ensure departmental goals and objectives met. Recommend budget and expenditures related to the university's strategic and operational initiatives. Provide recommendations to the Chief Information Officer on technology best practices. Develop and/or supervise the implementation of Information Technology programs, policies & procedures. Serve in an advisory capacity, providing coaching and consultation to NSS staff.
Assistant Director of IT Security
Lead, supervise and manage a team responsible for the development, maintenance, monitoring, and support of an information technology (IT) security framework to protect information resources from inappropriate alteration, physical destruction, and unauthorized access. Monitor threat advisory reports from information security agencies and services. Create and implement procedures for responding to IT security incidents. Assist in the development and implementation of strategies and objectives to ensure departmental goals are met as well as interpret laws, rules, policies & procedures.
IT Security Engineer
Coordinates the collection of media requiring secure data destruction services. Conducts evaluations of security functions and takes actions regarding security issues. Assists with analysis of services and needs; recommends improvements. Installs and manages security systems across the entire network. Conducts security assessment and security audits and manages remediation plans. Creates, manages and maintains user security awareness programs. May interpret departmental policies for area of responsibility.
Senior Security Analyst
Audits systems to ensure data is accurate and up to date. Investigates alerts and follow established procedures to remediate conditions that do not follow approved policies and guidelines. Provides technical assistance and support for incoming information security queries and issues related to computer systems, software, and hardware. Reviews violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated. Manages user access to various third party and hosted applications. Work collaboratively with university staff to ensure program's success. May interpret departmental policies for area of responsibility.
IT Security Analyst
Audits systems to ensure data is accurate and up to date. Investigates alerts and follow established procedures to remediate conditions that do not follow approved policies and guidelines. Provides technical assistance and support for incoming information security queries and issues related to computer systems, software, and hardware. Reviews violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated. Conduct risk assessments and security audits, and manage remediation plans. Preform network penetration tests. Work collaboratively with university staff to ensure program's success. Assist in the preparation & delivery of workshops and training programs. May interpret departmental policies for area of responsibility.
University of North Florida IT Security Program
The UNF ITS Security Plan supplements the Official Security Policies, Standards, and Procedures that have been established for the UNF System. This security plan is intended to comply with the regulations and policies set down by the State of Florida, the University of North Florida, FERPA, PCI, HIPAA, the Federal Information Security Management Act (FISMA), and other state and federal regulations.
The UNF IT Security Program's documentation describes many of the activities the University currently undertakes, and will undertake, to maintain covered data according to legal and University requirements. The Information Security Program document provides an outline of the safeguards that apply to this information. The practices set forth in the document will be carried out by and impact diverse areas of the University.
The Information Security Program has five components: (1) designating an employee or office responsible for coordinating the program; (2) conducting risk assessments to identify reasonably foreseeable security and privacy risks; (3) ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored; (4) overseeing service providers, and (5) maintaining and adjusting the Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.
IT Security Program Manager Designation
The Security Program Manager is responsible for the following:
- The Security Manager will consult with responsible offices to identify units and areas of the University with access to covered data. The Compliance Office, Internal Auditor and other offices and units assist with the implementation of this program.
- The Security Manager will ensure that risk assessments and monitoring are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks.
- The Security Manager will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data.
- The Security Manager may require units with substantial access to covered data to further develop and implement comprehensive security plans specific to those units and to provide copies of the plan documents.
- The Security Manager may designate, as appropriate, responsible parties in each area or unit to carry out activities necessary to implement the IT Security Plan.
- The Security Manager will work with responsible parties to ensure adequate training and education is developed and delivered for all employees with access to covered data.
- The Security Manager will, in consultation with other University offices, verify that existing policies, standards and guidelines that provide for the security of covered data are reviewed and adequate.
- The Security Manager will make recommendations for revisions to policy, or the development of new policy, as appropriate.
- The Security Manager will prepare an annual report on the status of the Information Security Program and provide that to the University's Chief Information Officer.
- The Security Manager will update the Information Security Program's documentation, including this and related documents, from time to time. The Security Manager will maintain a written security plan containing the elements set forth by the UNF IT Security Program and make the plan available to the University community.
UNF ITS will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include:
- Consideration of risks in each area that has access to covered information
- Consideration of employee training and management
- Information systems, including network and software design
- Information processing, storage, transmission and disposal
- Systems for detecting, preventing, and responding to attacks, intrusions, or other system failures
Information Safeguards and Monitoring
The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. The Security Manager will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring will include the following:
- Employee management and training of those individuals with authorized access to covered data.
- Requiring that electronic covered data:
- Be entered into a secure, password-protected system
- Use secure connections to transmit data outside the University
- Use secure servers
- Be maintained in an inventory of servers or computers with covered data
- Is not stored on unencrypted transportable media (USB drives, laptops, tablets, CD/DVD, etc.)
- Is permanently erased from computers, diskettes, magnetic tapes, hard drives, or other electronic media before re-selling, transferring, recycling, or disposing of them
- Be protected from physical hazards such as fire or water damage
- Other reasonable measures to secure covered data during its life cycle in the University's possession or control.
- Requiring that physical records that contain covered data:
- Be stored in a secure area and limiting access to that area;
- Be protected from physical hazards such as fire or water damage;
- As pertains to outdated records., be disposed of in accordance with a document disposal policy;
- Be shredded before disposal;
- Other reasonable measures to secure covered data during its life cycle in the University's possession or control.
The Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.
The Security Manager, by survey or other reasonable means, will identify service providers who are provided access to covered data. The Security Manager will work with the Office of General Counsel, and other offices as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of covered data.
List of Related Policies
Please note this list is not exhaustive and is presented in alphabetical order.
University of North Florida Policies
6.0060P - Campus Security Cameras
6.0220P - Data Classification & Security
6.0070P - Decentralized Business and Networking Systems
1.0130P - Export Control Laws and Regulations - Compliance Policy
4.0030R - Limited Access Personnel Records
6.0050P - Network Acceptable Use
6.0120P - Red Flag Policy
ITS Policies and Procedures
Access to Computing Systems Managed by ITS
Access to Optical Fiber Managed by ITS
Acquisition and Personal Use of Information Technology Equipment and Resources
Florida Computer Crimes Act
Passwords on Computing Systems Managed by ITS
Responsible Use Guidelines
Terminated Employee Information Security Procedures