fsu.edu | IT Security

OP-H-9 INFORMATION TECHNOLOGY SECURITY

SPECIFIC AUTHORITY
Chapter 282.318, Florida Statutes - Security of Data and Information Technology Resources
Policy No. OP-F- 6 Destruction/Shredding of Confidential records
Policy No. OP-H-6 Use of University Information Technology Resources

OBJECTIVE
This Policy is intended to: assure that information technology systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.

OVERVIEW
Appropriate business use of information technology (IT) resources includes instruction, research, and the official work of the offices, departments, recognized student and campus organizations, and other agencies of the University. Computer accounts are provided to faculty, staff, and students as a privilege associated with membership in the University community. When an individual accepts this privilege, a number of responsibilities must be assumed, including knowledge of appropriate University policies and procedures.

This and all policies and procedures associated with FSU IT resources are not intended to abridge academic freedom, constitutional guarantees of free speech, or freedom of expression. The use of IT resources is available to all members of the University community. While the rights of academic freedom and intellectual creativity are recognized, the interests of the University, students, faculty, and staff must be protected. In addition to consideration of legal liability issues, the institutional image and reputation of FSU as a major research institution are valuable assets requiring protection.

A. SCOPE OF THIS POLICY
This policy applies to all University personnel who administer, manage, maintain, or use university IT resources, their supervisors, and their unit administrators. It applies to all locations of those resources, whether on campus or from remote locations.

B. FLORIDA STATE UNIVERSITY INFORMATION SECURITY MANAGER (ISM)
The FSU Information Security Manager or designee is directly responsible for managing campus-wide information technology security matters and implementation of the Information Technology Security Plan (ITSP), collaborating with the Office of Inspector General to develop and conduct a recurring risk analysis, establishing a Computer Security Incident Response Team for the University, maintaining Unit IT/ISM contact information, working with Unit IT/ISMs to help reduce or eliminate identified and potential risks to University information technology resources, maintaining a campus wide information technology security web site (www.security.fsu.edu), as well as oversight and management of information technology security awareness, and training.

C. CAMPUS UNIT INFORMATION TECHNOLOGY/INFORMATION SECURITY MANAGER (IT/ISM)
Each campus unit must designate an information technology security manager. Unit ISMs must be designated at the Division, College, School, Department, and Institute level. (Note: In most cases, the Unit IT representative will assume this as an additional responsibility). ISMs must also be designated at the campus network (Academic Computing and Network Services) and application levels (Administrative Information Systems) within the Office of Technology Integration. Network, application and campus unit information security managers will be responsible for coordinating security efforts within their respective campus organizational units. The campus unit IT/ISM will be responsible for helping to ensure the unit's compliance with all information technology use and security related policies. The Unit IT/ISM must subscribe to Nolenet.

D. SENSITIVE/CONFIDENTIAL ASSETS
All campus units must identify and document all FSU information technology assets to be protected. Campus units must also adhere to FSU Policy No. OP-F-6 Destruction/Shredding of confidential documents and records. See http://www.vpfa.fsu.edu/policies/bmanual/shredding.html

E. NETWORK SECURITY
In cases where stateful packet inspection is used, network firewalls must be documented and coordinated with Academic Computing Network Services. Campus unit IT/ISMs will coordinate the establishment of all external network connections for their unit with Academic Computing Network Services. As every external network connection is potentially an entry point for intruders, campus unit IT/ISMs must document all external network connections in their unit, including modems.

F. APPLICATION/DATA SECURITY
Campus units must establish or adhere to the policies and procedures established in the Data Management and Computer Security Business Manual at http://www.ais.fsu.edu/dm_sc.html and University Data Management and Security System as shown http://www.ais.fsu.edu/logins.html.

G. PHYSICAL SECURITY
Campus Units are responsible for the protection of all critical, confidential/sensitive information technology resources located within their units. Campus unit IT/ISMs must establish and document physical security measures for the protection of all critical, confidential/sensitive information technology resources.

H. AWARENESS AND TRAINING
The FSU ISM is responsible for establishing and managing a campus wide security awareness-training program. Campus unit IT/ISMs must ensure that all users within their units are aware of this policy and related use policies. Newly assigned employees are encouraged to attend the Personal Security Computing course provided by User Services, Office of Technology Integration.

I. COMPUTER AND PHYSICAL SECURITY INCIDENT RESPONSE
Unit IT/ISMs must immediately notify the FSU ISM of security incidents within their units, in particular those that may be threatening to other IT resources (e.g., hacking of a mail or web server). Unit IT/ISMs should notify the Campus Police Department on security incidents involving threats to human beings, property, or child pornography. External law enforcement entities (FBI, FDLE, other federal, state, local law enforcement entities) must be referred to the Campus Police Department who will serve as Liaison during all information technology security investigations (e.g., use of computing resources to commit credit card fraud), the Office of General Counsel and Campus Police Department must be notified when a subpoena is issued pursuant to any investigation related to information technology, and the Office of Inspector General must be notified on incidents involving copyright and intellectual property violations.

J. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
The Computer Security Incident Response Team is directly responsible for providing information and assistance to members of the University community in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur.

The CSIRT is authorized to address all types of computer security incidents, which occur or threaten to occur at FSU. The level of support given by CSIRT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the CSIRT's resources at the time. In all cases some response will be made within one working day.

K. RISK ANALYSIS
The FSU ISM in joint coordination with the Office of Inspector General will conduct a comprehensive risk analysis of University IT resources on a recurring basis. Campus units must conduct a risk analysis for all of IT resources on an annual basis.

L. BUSINESS CONTINUITY PLAN
As a means to help provide for the continuity of business operations and recovery from disasters, campus units must develop and maintain a written business continuity plan that provides information on recurring backup procedures, and also recovery procedures from both natural and man made disasters.

M. ANTI-VIRUS AND SOFTWARE VULNERABILITY PROTECTION
At all levels, it is the responsibility of designated IT staff to ensure that anti-virus software and vulnerability patches are installed for all IT software programs and operating system attached to the campus or unit network.

N. SECURITY AND PRIVACY
The University can employ various measures to protect the security of its computing resources and its users' accounts. While the University does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and storing of data and communications, the logging of activity, the monitoring of general usage patterns and other such activities.

O. COMPLIANCE
Users of University computing resources must comply with all University, State, Federal and State laws. All IT security measures must comply with federal and state laws, university rules and policies, and the terms of applicable contracts and grants including software licenses. Examples of applicable laws, rules and policies include the Family Educational Rights and Privacy Act (FERPA), Digital Millennium Copyright Act, Florida Computer Crimes Act, as well as related State of Florida computer-related crime laws, which prohibit "hacking," "cracking" and similar activities.

P. EXCEPTIONS
Unit IT/ISMs must submit requests for exception to this policy in writing to the Security and Ethics Subcommittee for review. The FSU ISM will be responsible for responding in writing to exception requests.

Q. REVIEW AND UPDATE
This policy will be reviewed and updated by the Security and Ethics Subcommittee on an annual basis, or as special events or circumstances dictate.

R. POLICY REFERENCES
Policy No. OP-H-6 Use of University Information Technology Resources
Policy No. OP-F-2 Preparation and Issuance of Policies and Procedures
Copyright Policy
FSU's Internet Privacy Policy


	Business Operations Facilities/Space Faculty & Staff Financial General University Records/Information Safety/Insurance Technology			OP-H-9 INFORMATION TECHNOLOGY SECURITY SPECIFIC AUTHORITY Chapter 282.318, Florida Statutes - Security of Data and Information Technology Resources Policy No. OP-F- 6 Destruction/Shredding of Confidential records Policy No. OP-H-6 Use of University Information Technology Resources OBJECTIVE This Policy is intended to: assure that information technology systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification. OVERVIEW Appropriate business use of information technology (IT) resources includes instruction, research, and the official work of the offices, departments, recognized student and campus organizations, and other agencies of the University. Computer accounts are provided to faculty, staff, and students as a privilege associated with membership in the University community. When an individual accepts this privilege, a number of responsibilities must be assumed, including knowledge of appropriate University policies and procedures. This and all policies and procedures associated with FSU IT resources are not intended to abridge academic freedom, constitutional guarantees of free speech, or freedom of expression. The use of IT resources is available to all members of the University community. While the rights of academic freedom and intellectual creativity are recognized, the interests of the University, students, faculty, and staff must be protected. In addition to consideration of legal liability issues, the institutional image and reputation of FSU as a major research institution are valuable assets requiring protection. A. SCOPE OF THIS POLICY This policy applies to all University personnel who administer, manage, maintain, or use university IT resources, their supervisors, and their unit administrators. It applies to all locations of those resources, whether on campus or from remote locations. B. FLORIDA STATE UNIVERSITY INFORMATION SECURITY MANAGER (ISM) The FSU Information Security Manager or designee is directly responsible for managing campus-wide information technology security matters and implementation of the Information Technology Security Plan (ITSP), collaborating with the Office of Inspector General to develop and conduct a recurring risk analysis, establishing a Computer Security Incident Response Team for the University, maintaining Unit IT/ISM contact information, working with Unit IT/ISMs to help reduce or eliminate identified and potential risks to University information technology resources, maintaining a campus wide information technology security web site (www.security.fsu.edu), as well as oversight and management of information technology security awareness, and training. C. CAMPUS UNIT INFORMATION TECHNOLOGY/INFORMATION SECURITY MANAGER (IT/ISM) Each campus unit must designate an information technology security manager. Unit ISMs must be designated at the Division, College, School, Department, and Institute level. (Note: In most cases, the Unit IT representative will assume this as an additional responsibility). ISMs must also be designated at the campus network (Academic Computing and Network Services) and application levels (Administrative Information Systems) within the Office of Technology Integration. Network, application and campus unit information security managers will be responsible for coordinating security efforts within their respective campus organizational units. The campus unit IT/ISM will be responsible for helping to ensure the unit's compliance with all information technology use and security related policies. The Unit IT/ISM must subscribe to Nolenet. D. SENSITIVE/CONFIDENTIAL ASSETS All campus units must identify and document all FSU information technology assets to be protected. Campus units must also adhere to FSU Policy No. OP-F-6 Destruction/Shredding of confidential documents and records. See http://www.vpfa.fsu.edu/policies/bmanual/shredding.html E. NETWORK SECURITY In cases where stateful packet inspection is used, network firewalls must be documented and coordinated with Academic Computing Network Services. Campus unit IT/ISMs will coordinate the establishment of all external network connections for their unit with Academic Computing Network Services. As every external network connection is potentially an entry point for intruders, campus unit IT/ISMs must document all external network connections in their unit, including modems. F. APPLICATION/DATA SECURITY Campus units must establish or adhere to the policies and procedures established in the Data Management and Computer Security Business Manual at http://www.ais.fsu.edu/dm_sc.html and University Data Management and Security System as shown http://www.ais.fsu.edu/logins.html. G. PHYSICAL SECURITY Campus Units are responsible for the protection of all critical, confidential/sensitive information technology resources located within their units. Campus unit IT/ISMs must establish and document physical security measures for the protection of all critical, confidential/sensitive information technology resources. H. AWARENESS AND TRAINING The FSU ISM is responsible for establishing and managing a campus wide security awareness-training program. Campus unit IT/ISMs must ensure that all users within their units are aware of this policy and related use policies. Newly assigned employees are encouraged to attend the Personal Security Computing course provided by User Services, Office of Technology Integration. I. COMPUTER AND PHYSICAL SECURITY INCIDENT RESPONSE Unit IT/ISMs must immediately notify the FSU ISM of security incidents within their units, in particular those that may be threatening to other IT resources (e.g., hacking of a mail or web server). Unit IT/ISMs should notify the Campus Police Department on security incidents involving threats to human beings, property, or child pornography. External law enforcement entities (FBI, FDLE, other federal, state, local law enforcement entities) must be referred to the Campus Police Department who will serve as Liaison during all information technology security investigations (e.g., use of computing resources to commit credit card fraud), the Office of General Counsel and Campus Police Department must be notified when a subpoena is issued pursuant to any investigation related to information technology, and the Office of Inspector General must be notified on incidents involving copyright and intellectual property violations. J. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) The Computer Security Incident Response Team is directly responsible for providing information and assistance to members of the University community in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur. The CSIRT is authorized to address all types of computer security incidents, which occur or threaten to occur at FSU. The level of support given by CSIRT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the CSIRT's resources at the time. In all cases some response will be made within one working day. K. RISK ANALYSIS The FSU ISM in joint coordination with the Office of Inspector General will conduct a comprehensive risk analysis of University IT resources on a recurring basis. Campus units must conduct a risk analysis for all of IT resources on an annual basis. L. BUSINESS CONTINUITY PLAN As a means to help provide for the continuity of business operations and recovery from disasters, campus units must develop and maintain a written business continuity plan that provides information on recurring backup procedures, and also recovery procedures from both natural and man made disasters. M. ANTI-VIRUS AND SOFTWARE VULNERABILITY PROTECTION At all levels, it is the responsibility of designated IT staff to ensure that anti-virus software and vulnerability patches are installed for all IT software programs and operating system attached to the campus or unit network. N. SECURITY AND PRIVACY The University can employ various measures to protect the security of its computing resources and its users' accounts. While the University does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and storing of data and communications, the logging of activity, the monitoring of general usage patterns and other such activities. O. COMPLIANCE Users of University computing resources must comply with all University, State, Federal and State laws. All IT security measures must comply with federal and state laws, university rules and policies, and the terms of applicable contracts and grants including software licenses. Examples of applicable laws, rules and policies include the Family Educational Rights and Privacy Act (FERPA), Digital Millennium Copyright Act, Florida Computer Crimes Act, as well as related State of Florida computer-related crime laws, which prohibit "hacking," "cracking" and similar activities. P. EXCEPTIONS Unit IT/ISMs must submit requests for exception to this policy in writing to the Security and Ethics Subcommittee for review. The FSU ISM will be responsible for responding in writing to exception requests. Q. REVIEW AND UPDATE This policy will be reviewed and updated by the Security and Ethics Subcommittee on an annual basis, or as special events or circumstances dictate. R. POLICY REFERENCES Policy No. OP-H-6 Use of University Information Technology Resources Policy No. OP-F-2 Preparation and Issuance of Policies and Procedures Copyright Policy FSU's Internet Privacy Policy