4-OP-H-20 Information Technology Security and Information Assurance Policy

Responsible Executive: Finance and Administration

Approving Official: Vice President for Finance and Administration

Effective Date: March 1, 2024

Revision History: No revisions at this time.

  1. INTRODUCTION

    1. PURPOSE

      This policy establishes security and privacy requirements necessary to protect the confidentiality, integrity, and availability of Florida State University’s Information Technology (IT) assets. Protection of information, resources and services is critical to fulfilling the educational mission of Florida State University (FSU).  The policy and its supporting supplemental standards establish minimum controls intended to protect IT assets from unauthorized access, loss, alteration, damage, and other threats or attacks that could cause harm to FSU or to members of its community.

    2. SCOPE

      This policy applies to all users and their use of FSU IT resources and services, whether accessed by FSU-owned or personal devices.  IT resources and services include all hardware and software that access or store FSU data, conduct FSU business, or interact with internal networks and business systems.

      Individual university units or organizations may define additional conditions, restrictions, or guidelines for their communities that are consistent with FSU IT policies and standards.

    3. DEFINITIONS

      Consolidated University Unit (CUU) - a consolidated group of university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.  

      IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems owned by, managed by or sponsored by IT Asset Custodians.

      Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

      Institutional Data – any data that is owned, licensed by, or under the direct control of the university, whether stored locally or with a cloud provider.

      Third-Party Vendor – a company or entity with whom FSU has a written agreement to provide a product or service.

      IT Glossary

    4. ROLES AND RESPONSIBILITIES
      1. It is the responsibility of authorized users to comply with this policy.
        The University Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) are responsible for implementing this policy and ensuring the operation of the University’s IT resources is consistent with laws and other university policies.
      2. For more information, see IT Roles and Responsibilities.

  2. POLICY

    This policy establishes institution-wide IT strategies and responsibilities for protecting the confidentiality, integrity, and availability of data and IT assets. With this policy and corresponding standards, the university will:

    • Establish and maintain a unified risk-based security and information assurance program based on the NIST Framework for Improving Critical Infrastructure Cybersecurity;
    • Establish and maintain university-wide security policies, standards, and guidelines which provide boundaries within which individuals and units will operate
    • Protect institutional data, systems, resources, and services against unauthorized access and other threats or attacks that could potentially result in financial, legal, or reputational harm to the university, members of the university community, or third parties to which the university owes a reasonable duty of care
    • Educate faculty, staff, students, and units on the need for appropriate cybersecurity and protecting themselves against breach of their systems and unauthorized access to their personal information
    • Establish an exception process for individuals and units with unique needs
    • Support compliance with applicable federal, state, or local laws or regulations; university policies, standards, guidelines, contracts; and agreements that obligate the university to implement security safeguards
    • Ensure FSU’s core mission is not impeded while (i) ensuring the confidentiality, integrity, and availability of university information assets and (ii) reducing and better managing cybersecurity risks

    For use and access to be acceptable, users must protect the security and integrity of computing and IT resources through their compliance with the 4-OP-H-21 Acceptable Use of Technology Policy.  Users must understand and comply with all FSU IT security policies, standards, guidelines, practices, and procedures.  Users must exercise caution to protect and secure FSU data, devices, and portable storage media that are used on the FSU network or to store university data.

    1. ROLES AND RESPONSIBILITIES

      Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
      The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU.  The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.  

      Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
      The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a Consolidated University Unit (CUU).  The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.

      CUU Information Security Manager (ISM)
      The liaison designated by the CUU DDDH is responsible for coordinating the CUU’s information security program. The CUU Information Security Manager is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.

      CUU Privacy Coordinator 
      The liaison designated by the CUU DDDH responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.

      University Unit DDDH
      The DDDH or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit.  The University Unit DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program. Responsibilities of the University Unit DDDH are the same as the CUU DDDH but apply to the University Unit.

      University Unit ISM 
      The liaison designated by a University Unit DDDH responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program. Responsibilities of the University Unit ISM are the same as the CUU ISM but apply to the University Unit.

      University Unit Privacy Coordinator 
      The liaison designated by a University Unit DDDH responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.  Responsibilities of the University Unit Privacy Coordinator are the same as the CUU Privacy Coordinator but apply to the University Unit.

      Data Custodian
      The DDDH who is ultimately responsible for the integrity, accurate reporting, and use of university data resources based on classification level identified by the 4-OP-H-25.01 Data Security Standard.

      Data Manager
      The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.

      For more information, see IT Roles and Responsibilities.

       

    2. University Unit and CUU Responsibilities

      Each University Unit and CUU bears the responsibility to (i) identify, inventory, and classify the unit’s information based on the 4-OP-H-25.01 Data Security Standard and (ii) ensure the following standards are followed for information classified as High Risk or Moderate Risk:

      Each CUU DDDH shall designate a CUU ISM, CUU Privacy Coordinator, Data Custodians, and Data Managers who will manage the CUU’s security and information assurance programs.  Each University Unit DDDH shall designate a
         University Unit ISM, University Unit Privacy Coordinator, Data Custodians and Data Managers who will manage the University Unit’s security and information assurance programs.  Functions of the program will include the following:

      1. Maintain the information identification and classification documentation of High Risk and Moderate Risk information assets.

      2. Assess the unit’s electronic and physical controls for information classified as High Risk or Moderate Risk to ensure they meet legislated or contracted requirements.

      3. Ensure unit staff are trained on this policy, and any specific legislated or contracted privacy requirements.

      4. Ensure unit staff members who handle High Risk or Moderate Risk information sign an FSU Employee Confidentiality Statement.

      5. Work with legal resources to ensure contracts or agreements contain terms to stipulate adherence to FSU policy, legislation, or contractual safeguarding provisions when High Risk or Moderate Risk information is processed, transmitted, or stored by a third-party vendor.

      6. Maintain the unit’s information security program according to the policy, standards and guidelines promulgated by the ISPO.

      7. Immediately report suspected or confirmed security and privacy incidents to the CISO.

         

    3. CLASSIFICATION OF INFORMATION

      FSU classifies all institutional information according to risk: High Risk, Moderate Risk, and Low Risk.  FSU’s Information Classification responsibilities and requirements are defined in the 4-OP-H-25.01 Data Security Standard.

      CUU and University Unit Privacy Coordinators and Data Custodians (or their delegated Data Managers) are responsible for managing the classification and protection of FSU information.  Information Classification is the basis for many of the requirements established for security and privacy in FSU policies, standards, procedures, and guidelines to provide risk-based protection of information and systems. The classification of information determines the baseline security protections and controls that are appropriate and required to protect the confidentiality, integrity, and availability of data.  Each unit must classify and implement appropriate controls for all institutional information accessed, collected, stored, transmitted, or processed.

       

    4. ADHERENCE TO IT SECURITY AND PRIVACY STANDARDS

      All CUUs, University Units, departments, and users are required to comply with all applicable IT policies and standards in their use of FSU’s IT resources. Compliance with standards is mandatory and is enforced in the same manner as the policies they support:

      • 4-OP-H-25.02 Information Privacy Standard
        This standard establishes a university-wide privacy program that respects and protects the privacy of its students, alumni, faculty and staff, and safeguards information resources from loss, misuse, and unauthorized access or modification. Data must be safeguarded to maintain privacy levels based on Data Classification.
      • 4-OP-H-25.03 IT Security Configuration Management Standard
        This standard establishes requirements for implementing and maintaining secure configurations for IT Assets in order to minimize operational malfunctions, intrusions by external threats, exploitation of vulnerabilities, unauthorized data disclosures and performance problems.
      • 4-OP-H-25.04 IT Network Security Standard
        The purpose of this standard is to monitor and protect the university’s IT networks and its associated systems, services, and applications from abuse, attacks, and inappropriate use.
      • 4-OP-H-25.05 Bring Your Own Device Standard
        This standard establishes requirements for the use of personally owned devices that connect to FSU technology resources and/or data, conduct FSU business, or interact with internal networks and business systems.  Devices include, but are not limited to smartphones, tablets, laptops, notebooks, etc.  
      • 4-OP-H-25.06 IT Security and Privacy Training Standard
        This standard identifies baseline IT training requirements for all users, based on users’ roles, responsibilities and their access to FSU data and IT resources. 
      • 4-OP-H-25.07 IT Access, Authorization and Authentication Standard
        This standard defines Identity Management and Access Controls that protect IT resources from unauthorized use. This standard applies to processes and procedures implemented to protect data and access to devices, systems, services, and applications, including accounts with privileged access, whether provisioned locally or at the enterprise-level.
      • 4-OP-H-25.08 IT Physical Security Standard
        This standard defines the requirements for protecting all campus facilities that maintain university information resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, interruption, or unauthorized access to those resources.
      • 4-OP-H-25.09 IT Vulnerability Management Standard
        This standard establishes a framework for identifying, assessing, and remediating IT vulnerabilities on devices connected to FSU networks and the requirements for compliance.  Vulnerabilities within networks, software applications, and operating systems, often as a result of server or software misconfigurations, improper file settings, or outdated software versions, are a significant threat to the network and other IT resources.
      • 4-OP-H-25.10 IT Log Collection, Analysis and Retention Standard
        System and application log data is a critical component in detecting, analyzing, preventing, and responding to potential information security incidents including unauthorized data disclosures and activities related to FSU systems.  Log data must be generated, stored, and analyzed to ensure the security and privacy of information.  
      • 4-OP-H-25.12 IT Disaster Recovery Planning Standard
        This standard defines the requirements for IT Disaster Recovery planning to facilitate the timely recovery and restoration of FSU’s IT systems that support access to critical business functions and data.
      • 4-OP-H-25.13 IT Third-Party Vendor Management Standard
        This standard defines the requirements necessary to ensure contracts and agreements with third parties involving IT resources, cloud or other outsourced service guarantee compliance with FSU security policies and standards.
      • 4-OP-H-25.14 Encryption Standard
        This standard defines requirements for the use of encryption technologies to protect FSU data and resources. Encryption is the process of encoding messages or information in order to protect data or communication and can be applied to data that is stored (at rest) or transmitted (in transit) over networks.  
      • 4-OP-H-25.15 IT Data Disposal and Media Sanitization Standard
        This standard defines the requirements for proper disposal of electronic data and media.  If not properly purged from storage media, data could be reconstructed or retrieved. Storage media must be appropriately sanitized to prevent unauthorized access to, or disclosure of, institutional information.
      • 4-OP-H-25.16 IT Application Secure Coding Standard
        This standard ensures that IT applications developed or administered by FSU reflect secure coding practices that reduce the likelihood of unauthorized disclosure or theft of sensitive institutional information and ensure the ongoing availability of critical university resources.  
      • 4-OP-H-25.17 IT Enterprise Integration Security Standard
        This standard provides requirements for integration with IT enterprise systems that will minimize the vulnerability of enterprise systems to external attacks, unauthorized disclosure of sensitive information and unauthorized access to administrative interfaces or system configurations.
      • 4-OP-H-25.18 Risk Management Standard
        This standard establishes requirements for risk management through security assessment and planning.  Risk assessments and associated risk mitigation are required by regulations with which the university must comply, including, but not limited to, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS).  
      • 4-OP-H-25.19 Defining Consolidated University Units Standard
        This standard identifies an IT security and privacy organizational structure and establishes roles and responsibilities to facilitate more effective university-wide IT risk management across hundreds of FSU units.

    5. INCIDENT REPORTING

      It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu.  The CUU ISM, University Unit ISM, or Inspector General must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.

      Refer to the 4-OP-H-30 Health Information Portability and Accountability Act (HIPAA) Policy if a HIPAA security incident or breach is suspected or confirmed.

    6. POLICY VIOLATIONS

      Failure to comply with the requirements of this policy and supplemental policies and standards may result in reduced or revoked access to network and other IT resources.

      Users who violate this policy may be subject to other penalties and disciplinary action, both within and outside the university. Disciplinary action is governed under the university's standards for disciplinary action for violation of provisions of University policy.

      Unauthorized or fraudulent use of university computing resources may result in criminal prosecution.

    7. EXCEPTIONS TO POLICY AND STANDARDS

      Exceptions for any provision of this policy or supplemental IT Standards must be approved in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
      Any questions regarding the requirements of this Policy or supplemental IT standards should be referred to ISPO at 850-644-HELP or via the contact information at https://its.fsu.edu/.

    8. RELATED POLICIES, STANDARDS AND DOCUMENTS

      Security and Privacy Standards
      4-OP-H-21 Acceptable Use of Technology Policy

    9. REFERENCES

      FSU Employee Confidentiality Statement
      NIST Risk Management Framework
      NIST 800-53 Rev. 4, High Impact Controls 
      Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov)
      NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0

       

  3. LEGAL SUPPORT, JUSTIFICATION, AND REVIEW OF THIS POLICY

    SPECIFIC AUTHORITY

    1. Chapter 119, Florida Statutes - Public Records
    2. BOG Regulation 3.0075 - Security of Data Related Information Technology Resources
    3. Chapter 501.171, Florida Statutes – Security of Confidential Personal Information, Florida Information Protection Act 2014 (FIPA)
    4. Family Educational Rights and Privacy Act (FERPA)
    5. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    6. Payment Card Industry Data Security Standard (PCI DSS) 
    7. Federal Information Security Modernization Act (FISMA)
    8. Chapter 282.318, Florida Statutes - Information Technology Security Act
    9. Florida Information Protection Act (FIPA) - Security of Confidential Personal Information
    10. Gramm Leach Bliley Act
    11. The Federal Trade Commission (FTC) Rule on "Standards for Safeguarding Customer Information"