Policy Statement

Application of security controls to Information Systems is essential for preventing unauthorized use and maximizing system availability.

Applicability

This policy applies to all University of Florida Information Systems.

Definition

Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Policy Specifics

  1. All Information Systems must operate on software that is currently supported by the developer, vendor, or manufacturer with fixes for defects, flaws and security issues.
  2. All Information Systems must be maintained with updates and patches to address security vulnerabilities and operationally significant defects.
  3. All Information Systems must implement protections against malicious software.
  4. All Information Systems must be configured to prevent unauthorized use and protect the storage, transmission and processing of University Data.
  5. All Information Systems must be monitored for unauthorized use and action taken in accordance with the UF incident response policy.

Review and Adjudication

  1. Anyone maintaining and managing Information Systems is responsible for software currency, implementing secure configurations, and monitoring for unauthorized use.
  2. Information Security Administrators are responsible for unit allocation of resources as needed to maintain system security.
  3. Information Security Managers are responsible for oversight of system security.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.

History

Revision DateDescription
  Policy originally adopted
  Policy updated