UF Information Technology Security Charter

Introduction

This charter defines the mission and objectives of the University of Florida (UF) Information Technology (IT) security program, outlines the scope of the organization’s mandate, defines terms, and delineates roles and responsibilities for information security throughout the organization.  Enforcement rules are also included in this charter.

Unauthorized access, breach of confidentiality, loss of integrity, disruption of availability, and other risks threaten UFIT resources. UFIT security policies are aimed at reducing exposure to threats, thereby minimizing risk in order to protect UFIT resources. Policies are goals or mandates used to cultivate standards. UFIT security standards define metrics against which results can be measured to determine compliance with the policies and describe objectives for procedures. UFIT security procedures detail how to implement standards in order to comply with policies. Guidelines are suggested methods, best practices, or clarifications to assist with the implementation of standards.

Mission and Objectives

As part of its educational mission and strategic plan to provide state-of-the-art information technology to meet the needs of faculty and students in research and teaching, the University of Florida (UF) acquires, develops, and maintains data and information, computers, computer systems and networks. These information technology (IT) resources are intended for university related purposes, including direct and indirect support of the university’s instruction, research and service missions; university administrative functions; student and campus life activities; and the free exchange of ideas within the university community and among the university community and the wider local, national, and world communities.

The mission of the UF information security program is to support the goals of UF by assuring the availability, integrity and appropriate confidentiality of information. Primary objectives include development and implementation of proactive measures to prevent security problems and effective response to security problems when prevention methods are defeated.

Scope

This charter applies to all people who maintain or manage university IT resources, their supervisors and their unit administrators. It applies to all locations of those resources, whether on campus or remote locations. It applies to all UF and unit policies, standards and procedures, some of which are listed below. This charter is intended to help protect integrity, availability, accountability and appropriate confidentiality of UFIT resources. Additional standards and procedures may govern specific data, computers, computer systems or networks provided or operated by specific UF and subsidiary units.

  • Acceptable Use of Computing Resources
  • UF Policy for Security Management Responsibilities
  • UF Physical Security Standard
  • UF Network Security Standard
  • UF Software Security Standard
  • UF Risk Assessment Standard
  • UF Incident Response Standard
  • UFIT Training and Security Awareness Standard
  • UF Data Security Standard
  • Business Resumption Standard

Enforcement

Unit administrators and IT workers who fail to adhere to this charter may be subject to penalties and disciplinary action, both within and outside the university. Violations will be handled through the university disciplinary procedures applicable to the relevant Unit or IT employee. The university may suspend, block or restrict access to IT resources, IT workers, and/or Units independent of such procedures, when it reasonably appears in the best interest of the University to do so. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.

Definitions

UF Unit: College,Department, Research Center, Institute or other administrative subdivision connected to the University of Florida network.
Subsidiary Unit: A major unit which has a distinct and divergent mission statement from that of UF, and which in some cases may also be a separate legal entity, such as Shands.
Associate: An entity external to UF that performs functions or activities that involve the use or disclosure of information on behalf of, or provides services to, the University.
IT resource: Any equipment used to store, process, display or transport digital information is an IT resource. The associated data, applications and hardware, are also IT resources.
Information Technology (IT) worker: An individual hired by a unit to manage or maintain IT resources in that unit. IT duties must be specified in the job description.

Roles and Responsibilities

UF information security roles are organized in three main levels: Level 1 has responsibility for the entire university, Level 2 units are listed below, and Level 3 has responsibility for smaller units within Level 2 units. More levels may be added at the discretion of those responsible for Level 2.

Level 1 roles are UF Information Security Administrator (ISA) and UF Information Security Manager (ISM). Level 2 roles are Unit ISA and Unit ISM. The organizational structure for Level 3 and lower security contacts is defined by the Level 2 Unit ISA and Unit ISM. Level 3 and lower security contacts must work within the organizational structure established by their unit. To avoid confusion with Level 2 security titles, units must specify the level as part of Level 3 and lower titles, such as ‘Level 3 Unit ISA’ or ‘Level 3 Unit ISM’.

Level 2 units are:

  • Office of Finance and Administration
  • Bridges
  • Office of the Provost and Senior Vice President
  • Division of Student Affairs
  • Department of Housing and Residence Education
  • Office of the University Registrar
  • Research and Graduate Programs
  • Libraries
  • Computing and Networking Services
  • Office of Academic Technology
  • College of Business
  • College of Design, Construction, and Planning
  • College of Education
  • College of Engineering
  • College of Fine Arts
  • College of Health and Human Performance
  • College of Journalism
  • College of Law
  • College of Liberal Arts and Sciences
  • Institute of Food and Agricultural Sciences
  • Health Science Center
  • Interdisciplinary Center for Biotechnology Research
  • National Center for Construction Education and Research
  • International Center
  • Latin American Studies
  • P. K. Yonge Developmental Research School
  • Florida Museum of Natural History
  • Division of Continuing Education
  • University of Florida Foundation
  • Florida Center for Library Automation
  • Shands HealthCare
  • University Athletic Association
  • University Press of Florida
  • Division of Plant Industry
  • United States Department of Agriculture
  • Oak Hall School
  • Alachua Freenet
  • Cox Cable

UFIT Security Administrator (UF ISA)

The UF ISA has the responsibility to ensure implementation and management of the UFIT security program. The UF ISA has the authority to direct action as needed to protect UFIT resources. The UF ISA has the authority to enforce UFIT policies, standards, and procedures and to direct action related to violations. Where questions arise with respect to what constitutes a unit, the UF ISA has final authority.

UFIT Security Manager (UF ISM)

The UF ISM manages the UFIT security program and security team. The UF ISM is responsible for coordinating efforts to create and maintain centralized UFIT security policies, standards, and procedures. The UF ISM or a designee is responsible for enterprise risk assessment, enterprise network intrusion detection, working with Level 2 Unit ISMs to resolve exposures and reduce potential exposures, the UF security web site, and organizing IT security training and awareness events. The UF ISM is responsible for maintaining only Level 2 Unit ISA and Unit ISM contact information. Level 2 Unit ISAs and ISMs are listed in the contact database maintained by Network Services.

IT duties must be specified in the job description of the UF ISM.

Level 2 Unit IT Security Administrator (Unit ISA)

At a minimum, security authority and responsibility must be defined at the division or college level. The highest level unit administrator is the Level 2 Unit ISA, but this authority may be delegated. IT security responsibilities and reporting structure within the unit are at the discretion of the Level 2 Unit ISA, but a structure based to the UF structure is recommended with security administrators and security managers designated in each sub-unit.

The Level 2 Unit ISA has the responsibility to ensure implementation and management of the unit’s IT security program. They have the authority to direct action as needed to protect unit IT resources. They have the authority to enforce UF and unit IT policies, standards, and procedures and to direct action related to violations. Each Level 2 Unit ISA must appoint an Level 2 Unit Information Security Manager (Unit ISM). The higher level unit has the discretion to designate ISMs at subordinate unit levels, but contact information must be maintained by the Level 2 Unit ISM.

Where appropriate, IT duties must be specified in the job description of the Level 2 Unit ISA.

Level 2 Unit IT Security Managers (Unit ISM)

Level 2 Unit ISMs are responsible for managing and coordinating security efforts within that unit’s organizational hierarchy. The Level 2 Unit ISM has the responsibility to advise unit administration of security implementations consistent with UFIT policies, standards, and procedures. While the Level 2 Unit ISM is responsible to their unit administrative structure, they must be made known to the UF ISM.

To ensure professional management of UFIT resources, the Level 2 Unit ISM must ensure that their unit complies with UFIT security policies, standards, and procedures and that employees in their unit are aware of applicable laws, policies, standards, and procedures.

All units must have specific written IT security policies, standards and procedures. The Level 2 Unit ISM, in cooperation with the Level 2 Unit ISA, is responsible for the coordination of unit IT security policies, standards, and procedures. Unit security policies, standards, and procedures must be available to the UF ISM upon request. Units must create standards for physical access, network and host access, incident response, data security, business resumption, awareness, etc.

It is possible that ISM duties for smaller units do not require a full-time commitment and may be assigned to an existing IT position. IT duties must be specified in the job description of the Level 2 Unit ISM. The Level 2 Unit ISM must coordinate with their unit administration to ensure that all networks in their unit have adequate professional coverage, including vacation alternates. The Level 2 Unit ISM must maintain contact information for their unit IT staff and appropriate alternates. The Level 2 Unit ISM must ensure that all people who manage IT resources in their unit are appropriately trained and aware of relevant laws, and UF policies, standards, and procedures.The Level 2 Unit ISM must coordinate within their unit various IT security responsibilities, including but not limited to monitoring, documenting, reporting, and correcting the cause of security breaches, establishing minimum security standards for the installation and configuration of IT resources, maintaining the operating systems, reviewing account termination, ensuring secure coding,and other security functions.

The Level 2 Unit ISM must be a permanent employee with more than 50% IT related job responsibility. They must have a high school diploma or equivalent, and at least 4 years of professional IT related job experience. IT related vocational training or college course work may substitute for experience. The Level 2 Unit ISM must be a full-time employee. An FBI background check is recommended for all people who maintain or manage IT resources, but is required before an individual is assigned Level 2 Unit ISM duties. Existing employees not on probation at the time this charter is implemented do not require an FBI background check.

The Level 2 Unit ISM should pursue IT security related continuing education such as Information Technology Security Awareness Day.

IT workers

IT workers maintain, manage, or have responsibility for UFIT resources. All IT workers must be qualified to implement UF and respective unit IT policies, standards, and procedures appropriate to their level of job responsibility, or they must be closely supervised by someone who is. Where questions arise with respect to qualifications of IT worker candidates, the hiring authority must coordinate with the Level 2 Unit ISM and the Unit ISA

IT duties must be included in job descriptions of IT workers.

IT workers are responsible to keep informed of changes to UF and respective unit IT policies, standards, procedures, and other information resources.

UFIT Resource Categories

In terms of management and responsibility, the University of Florida recognizes the following categories of IT resources: professionally managed, personally managed, and managed by business associates. These categories are described below.

Professionally Managed IT Resources

Professionally managed IT resources are maintained by IT workers in a manner consistent with UFIT policies, standards, and procedures. Non-IT workers should not manage UFIT resources. Qualified professional IT consultants may be contracted to manage or maintain unit IT resources, but must comply with UF and respective unit IT policies, standards, and procedures. If the unit cannot support IT workers, they should seek assistance from IT workers in another unit or contact the UF ISM.

Personally Managed IT Resources

All UFIT resources must be managed by UFIT workers. The Level 2 Unit ISA can make exceptions for research or other purposes and allow non-IT workers to manage IT resources. These are referred to as personally managed IT resources. Personally managed IT resources also include personally owned devices such as laptops, computers, PDAs, and other IT equipment. Personally managed IT resources commonly connect in classrooms, at walkups, with wireless, and on the student residential network. Personally managed IT resources must meet the following requirements.

  • Before connecting to the UF Network, personally managed IT resources must connect only to designated network zones.
  • All personally managed IT resources connecting to unit networks must be coordinated with the Level 2 Unit ISM
  • The Level 2 Unit ISM must ensure that maintainers of personally managed IT equipment in their unit are aware of relevant UFIT security policies, standards, and procedures.
  • The Level 2 Unit ISM must ensure that maintainers of personally managed IT resources comply with relevant UFIT security policies, standards, and procedures.

IT Resources Managed by Associates

Associates that manage IT resources on the UF network must be informed of UFIT security policies and sign an agreement to comply with them. UF and Level 2 Unit ISMs must maintain contact information for all Associates managing IT resources on networks for which they are responsible. Requests for exceptions to this policy must be submitted in writing by the Level 2 Unit ISM to Information Technology Advisory Committee – Information Security Management (ITAC-ISM). The UF ISM will respond to all requests for exceptions in writing. For procedures related to hosts managed by business associates, see the Network and Host Security Standard.

References

Sunshine Law exemption for security