Information Technology Security Policy
| Links | ||
|
Unit IT Security Policy Template
University of Florida Units are required to maintain a written IT Security Policy. This document is intended to help simplify the development of a Unit IT Security Policy. Since the policy contains sensitive information about your network, it should not be advertised but it must be made available to the UF ISM upon request.
Include the unit name in the policy title. Identify the network managers, the unit administrator and list their contact information.
The following considerations must be addressed by each Unit IT Security Policy.
- Physical Security - The unit policy must establish policies for protecting physical IT resources, taking into account the value of the resource. Measures considered should include, but are not limited to, locating IT Resources in locked rooms or cabinets with controlled access. Methods of controlling access to such rooms include, but are not limited to, key locks, combination locks, biometric authentication, and various combinations of such methods. Proper environmental controls, redundancy, and power backup for IT Resources should be specified in the unit policy. Types of IT resources for which policy should be specified include:
- student data
- health data
- confidential or sensitive data
- authentication records and other logs
- servers - web, email, dns. etc.
- routers, switches, and other network devices
- IP telephony
- video
- wireless
- Authentication, Authorization and Auditability: The Unit IT Security Policy must specify user access controls. For each resource, policies must be established that identify for whom accounts can be created and their level of authorization. Methods of authentication for specific resources must be specified in the unit policy. The unit policy must specify under what circumstances access is revoked when the user is no longer eligible for access to specific resources, either through change of job function, termination of employment, or other change of status. The unit policy must specify how authentication records are maintained. It is recommended that each unit policy specify methods by which users will be presented with a basic policy warning, e.g. a login banner referring the user to the UF Acceptable Use Policy; a printed warning posted at each computer in a student lab; or other similar measures.
- Host and Network Security: The Unit IT Security Policy must specify methods for protecting against network attacks. Methods may include, but are not limited to, access control lists, private IP (see UFRFC10.html), encryption, host or network firewalls, and host or network intrusion detection systems. The security of all external network connections must be addressed in the Unit IT Security Policy.
- User Training: Each Unit IT Security Policy must ensure that all users of UF IT resources receive training in basic IT security concepts appropriate to their level of responsibility and the nature of the resources to which they will have access.
