Policy Number: 12-028

System Security Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose Application of security controls to Information Systems is essential for preventing unauthorized use and maximizing system availability.

  2. Applicability This policy applies to all University of Florida Information Systems.

  3. Definitions

    Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

    University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
  4. Policy Statement
    • All Information Systems must operate on software that is currently supported by the developer, vendor, or manufacturer with fixes for defects, flaws and security issues.
    • All Information Systems must be maintained with updates and patches to address security vulnerabilities and operationally significant defects.
    • All Information Systems must implement protections against malicious software.
    • All Information Systems must be configured to prevent unauthorized use and protect the storage, transmission and processing of University Data.
    • All Information Systems must be monitored for unauthorized use and action taken in accordance with the UF incident response policy.

Additional Resources

SYSTEM SECURITY STANDARD

Purpose:

To specify controls required to secure Information Systems against unauthorized access and use.

Standard:

All Information Systems will:

  1. Run current versions of software that is supported with updates and patches as security vulnerabilities and flaws are discovered.
    1. Patches addressing security vulnerabilities should be installed as soon as operationally feasible, according to the following schedule:
      1. For vulnerabilities rated Critical, within 14 days after release by the vendor or developer
      2. Vulnerabilities listed in the CISA Known Exploited Vulnerabilities Catalog by the ‘Due Date’ listed in the catalog
      3. As otherwise directed by the UF Computer Security Incident Response Team
      4. Patches for all other vulnerabilities should be applied within 30 days after release by the vendor or developer. Situations in which security patches cannot be installed within 30 days shall be addressed in a security risk assessment.
    2. For situations in which systems that cannot run vendor supported operating systems are essential, such as computers controlling equipment that the manufacturer has not provided updates for, refer to the Guidelines for Unsupported Operating Systems at the University of Florida.
  2. Verify a user’s authorization before allowing access.
  3. Display the following usage notification, or another as approved by General Counsel, prior to granting a user access:Welcome to the Gator Nation!!!
    You are accessing a University of Florida information system and agree to the terms and conditions of the UF Acceptable Use Policy.UF Shibboleth SSO displays this message, and thus applies to any web applications requiring UF Shibboleth SSO authentication.
  4. Not provide sufficiently detailed feedback about login failures to allow an attacker to deduce proper login credentials.
  5. Be protected against Denial Of Service (DOS) attacks that render a system too busy to fulfill legitimate workloads.
  6. Employ mechanisms to protect against malicious software. Malicious software mechanisms are updated frequently to address new threats.

Information Systems that Store, Process or Transmit Restricted Data will:

  1. Require re-authentication after a period of user inactivity. The period will vary depending on the risk of unauthorized physical access, but typically will not exceed 30 minutes.
  2. Protect the confidentiality and integrity of data transmission.
  3. Employ mechanisms to detect unauthorized changes to software and information.
  4. Employ encryption of data at rest or implement appropriate compensating controls.

References:

CISA Known Exploited Vulnerabilities Catalog

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Guidelines for Unsupported Operating Systems at The University of Florida

https://it.ufl.edu/media/itufledu/documents/policies/networking/guidance-doc-upsupported-os-at-uf.pdf

History

Revision Date Description
Aug 1, 2022 Policy originally adopted