Employee Guide to Information Security

Protecting UF Is Our Shared Responsibility

View the printable version of this page: Employee Guide to Information Security (Printable)

Integrated Risk Management

Information Security Begins with You!

Cybersecurity is a shared responsibility, with each of us serving a crucial role in protecting the university from malicious cyber activity.

UF’s Integrated Risk Management (IRM) program was created to support the university’s mission of teaching, research and service by providing UF faculty and staff with a single point of contact for digital business tools and solutions.

The IRM assessment process provides a structured evaluation of cybersecurity risks for software, hardware and cloud services. The IRM process focuses on essential security and privacy protections for your data to help keep you in compliance with the rapidly changing legal and regulatory world.

IRM Frequently Asked Questions

How is the IRM process different from the Institutional Review Board (IRB) review?

The IRB is charged with protecting the rights and welfare of participants in clinical trials and research studies. The IRB relies on the IRM process to assess cybersecurity risk associated with research studies, particularly the security and privacy of participants’ private data.

When should I start the IRM process?

You should start the IRM process as soon as possible to ensure there is adequate time for the IRM assessment before you need to make a purchase or start work. It’s a good idea to consult with your Information Security Manager (ISM) while developing your project or proposal so they can help you find UF-provided or pre-assessed tools or select options that meet UF security policies and standards.

Do I need to complete an IRM assessment before I can purchase technology products and services?

If you are purchasing additional technology related to an existing IRM assessment, you can reference that as part of a purchase. Otherwise, you will need to submit an IRM Request, and your ISM will need to complete their steps prior to submitting the purchase requisition.

Information Security Manager

Your college or department has an ISM who is your connection to UF’s IRM program. You can reach your ISM for assistance in finding UF-provided software, technologies and services. Your ISM will also submit IRM risk assessments on your behalf if needed. Contact your local IT support or look up your ISM with the Find Your Information Security Leadership tool.

Fast Path and Data Guide

Fast Path Solutions

Fast Path Solutions (FPS) is a comprehensive list of pre-assessed software and computing environments, designed to create a secure and efficient digital landscape for UF faculty and staff. The FPS list allows you to use any of the more than 600 current listings without additional review and with considerations for data classifications.

Not all data classifications are equal, so it is important to use the UF Data Guide to appropriately classify data before using any software.

Certain activities require additional review for FPS products; including:

Sharing sensitive or restricted data outside of the university
Receiving data from an external source
Using the product as part of an IRB-approved study

Restricted Data Solutions

When working with restricted data, you need to take extra caution to be sure the data is protected appropriately. UF has pre-assessed a number of tools and services for use with different types of restricted data.

When using FPS, you can filter to solutions pre-assessed for restricted data, so you can work more efficiently.

UF's Data Classification Guide

Open Data

Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval.

Examples include, but are not limited to:

Public websites
UF Directory information
Course catalogs
Published research

Sensitive Data

Data whose loss or unauthorized disclosure would impair the functions of the university, cause significant financial or reputational loss or lead to likely legal liability.

Examples include, but are not limited to:

Unpublished research data
Employee records
Animal research protocols

Restricted Data

Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts.

Examples include, but are not limited to:

Student records
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Export Controlled data and Examination Information

Incident Response

Report Suspected Information Security Incidents

If you suspect an information security incident has occurred, even if you had no part in its cause, report it immediately to your unit’s Information Security Manager, the UFIT Help Desk or to ufirt@ufl.edu. Signs that could indicate an information security incident include:

Your GatorLink password no longer works, and you did not institute a change. This could mean someone changed it without your knowledge, a possible result of a phishing incident.
Your files are suddenly deleted or corrupted, or new files unexpectedly appear.

Report Phishing

It’s a fact: The number one reason for compromised accounts at UF is when faculty, staff or a student opens and responds to a phishing email.

Phishing is when someone tries, via email, text or phone, to get your personal information by pretending to be a trustworthy company, government entity, person or a UF department.

If you receive a suspicious email in your GatorMail inbox, you can report it directly to UFIT by clicking the Phish Alert button or forwarding the message to abuse@ufl.edu. Remember: No one from UF will ever ask you for your GatorLink password. If you are in doubt about an email or a phone call you receive at work, check with the UFIT Help Desk (352-392-4357/HELP, helpdesk@ufl.edu).

Learn More

AI and Deepfake Technologies

Deepfake scams are a type of social engineering that uses AI technology to impersonate the voice, appearance or likeness of a person. The advancement of deepfake technologies mean that deepfakes are more convincing than ever.

Faculty and staff with access to university funds, unpublished research and strategically important data must be vigilant for deepfake phishing attempts.

As deepfake technologies improve, it is becoming increasingly difficult to spot telltale imperfections in deepfake media. However, there are two strategies for identifying these scams that can help protect you:

Stay vigilant for any unexpected communications which indicate urgency or seem too good to be true. Cybercriminals prey on generating an emotional response from a potential victim to make them quickly act in ways they might not otherwise.
Do not panic. If you receive any suspicious requests via phone or Zoom, the best course of action is to hang up and call the person you think you saw at their contact in the UF Directory.

Protecting UF: Information Security Awareness Training

Taking UF’s custom-developed information security awareness course is your first step towards preparing to defend yourself and UF against cyber threats. The training introduces UF resources to help you do your work securely and efficiently.

Protecting UF supports a security-conscious environment by educating our community about common cybersecurity risks, university data regulations and strategies to protect your information. All UF employees are required to take this training. The annual reminder date is determined based on your completion, so look for an email reminder or visit myTraining through this link. Alternatively, search for ‘ITT102’ in myTraining.