Policy Statement

To provide accurate and comprehensive audit logs in order to detect and react to inappropriate access to, or use of, information systems or data.


This policy applies to all Information Systems that store, process or transmit University Data.


Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Policy Specifics

  1. Access to Information Systems and data, as well as significant system events, must be logged by the Information System.
  2. Information System audit logs must be protected from unauthorized access or modification.
  3. Information System audit logs must be retained for an appropriate period of time, based on the Document Retention Schedule and business requirements. Audit logs that have exceeded this retention period should be destroyed according to UF document destruction policy.

Review and Adjudication

  1. Information System Administrators (ISAs) are responsible for developing and implementing procedures for the reporting and handling of inappropriate or unusual activity.
  2. Information System Managers (ISMs) are responsible for monitoring and reviewing audit logs to identify and respond to inappropriate or unusual activity.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.


Revision DateDescription
March 7, 2017 Policy originally adopted
  Policy updated