ÀÏ°ÄÃÅ×ÊÁÏ

The purpose of this Policy is to:

1. Establish standards regarding the use and safeguarding of ÀÏ°ÄÃÅ×ÊÁÏ Information Resources;
2. Protect the privacy of individuals by preserving the confidentiality of Personally Identifiable Information entrusted to ÀÏ°ÄÃÅ×ÊÁÏ;
3. Ensure compliance with applicable Policies, State and Federal laws and regulations regarding management of risks to and the security of Information Resources;
4. Appropriately reduce the collection, use, or disclosure of social security numbers contained in any medium, including paper records;
5. Establish accountability;
6. Educate individuals regarding their responsibilities associated with use and management of ÀÏ°ÄÃÅ×ÊÁÏ Information Resources;
7. Serve as the foundation for ÀÏ°ÄÃÅ×ÊÁÏ's Information Security Program, providing the authority to implement Policies, Standards, and Procedures necessary to implement an effective Information Security Program in compliance with this Policy.

Policy Statement

Information Resources residing at ÀÏ°ÄÃÅ×ÊÁÏ are strategic and vital assets. Access to these resources shall be appropriately managed. It is the policy of ÀÏ°ÄÃÅ×ÊÁÏ:

• To protect Information Resources based on risk against accidental or unauthorized access, disclosure, modification, or destruction and assure the availability, confidentiality, and integrity of these resources;
• Apply appropriate physical and technical safeguards without creating unjustified obstacles to conducting business and achieving the missions of the University; and
• Comply with applicable state and federal laws and SUS rules governing information resources.

Applicability

This Policy applies to:

1. All institutions and organizational units within ÀÏ°ÄÃÅ×ÊÁÏ;
2. All Information Resources owned, leased, operated, or under the custodial care of any ÀÏ°ÄÃÅ×ÊÁÏ organization or entity;
3. All Information Resources owned, leased, operated, or under the custodial care of third-parties operated on behalf of any ÀÏ°ÄÃÅ×ÊÁÏ organization or facility;
4. All individuals accessing, using, holding, or managing University Information Resources.

Compliance with State Law

Information that is collected pursuant or related to the ÀÏ°ÄÃÅ×ÊÁÏ Information Security Program is protected by Florida State Statute §119.071 and is therefore confidential by law. Accordingly, any University organization may not withhold information or fail to include information required by this Policy and/or Security Standards to be provided to or included in the ÀÏ°ÄÃÅ×ÊÁÏ Information Security Program or for administration of program oversight.

Information Security Standards

All ÀÏ°ÄÃÅ×ÊÁÏ organizations shall implement and abide by the following Standards:

• Standard 1 - Information Resource Security Responsibilities and Accountability
• Standard 2 - Acceptable Use of Information Resources
• Standard 3 - Information Security Program
• Standard 4 - Access Management
• Standard 5 - Privileged Accounts
• Standard 6 - Backup and Disaster Recovery
• Standard 7 - Change Management
• Standard 8 - Malware Prevention
• Standard 9 - Data Classification
• Standard 10 - Risk Management
• Standard 11 - Safeguarding Data
• Standard 12 - Security Incident Management
• Standard 13 - Use and Protection of Social Security Numbers
• Standard 14 - Information Systems Expectation of Privacy
• Standard 15 - Passwords
• Standard 16 - Data Center Security
• Standard 17 - Cybersecurity Program Monitoring
• Standard 18 - Cybersecurity Training
• Standard 19 - Server and Device Configuration and Management
• Standard 20 - Vendor and Third-Party Controls
• Standard 21 - Clean Desk Policy
• Standard 22 - Security Exceptions
• Standard 23 - Credit Card Acceptance

Definitions

IT Security Standards Definitions

Supplemental ÀÏ°ÄÃÅ×ÊÁÏ policies, standards, guidelines, procedures, and forms

General Hardening Standards

See ITS Policies and Standards for more information.

Who should know

All individuals accessing, managing, or possessing ÀÏ°ÄÃÅ×ÊÁÏ Information Resources including staff, faculty, and students, as well as Vendors and contractors providing services on behalf of ÀÏ°ÄÃÅ×ÊÁÏ and other third-party contractors.

Questions or comments

Questions or comments about this policy should be directed to: itsecurity@unf.edu