IT Security Policy

Chuck Frazier, Vice Provost for Information Technology

I write to announce UF’s new IT Security Policy and IT Security Procedures. They are effective as issued today. These policies and procedures were developed in the IT Advisory Committee structure and are intended to address security needs and goals for the university. The policies take into account comments from a recent Computer Network Security Audit. A weakness noted in that audit was the lack of a set of formal university wide expectations for personnel who maintain and manage our IT resources. The policies, procedures and other supporting documents can be found on the Web at http://www.it.ufl.edu/policies/security/.

Of particular importance is the formal designation of Ron Schoenau, Director of NERDC, as University Information Security Manager (UF ISM). The new policies require units to designate a Unit Information Security Manager (Unit ISM) who will be responsible for maintaining specific internal IT resource documentation, security policies and procedures, and business resumption plans. These unit responses have due dates spaced over the next 12 months and should be submitted to Ron Schoenau.

Unit ISMs must be designated and made known to the UF ISM as soon as possible, and no later than June 1, 2002. Unit resource documentation, policies and procedures must be completed no later than December 1, 2002 and business resumption plans must be completed by March 1, 2003. Units with critical functions to the UF mission should be in full compliance by June 1, if they are not already compliant. Documentation designed to assist units will include a Unit Policy Template, a Unit Documentation Template, and a Unit Business Resumption Plan Template.

Security Guidelines for Managing IT Resources are also designed to help protect critical information resources that are fundamental to both unit and university level missions.

Workshops will be announced to help units prepare internal policies and procedures. Training programs such as the Information Technology Security Awareness Day (ITSA Day, http://www.itsa.ufl.edu/) will continue to be offered. Beginning in May, IT Orientation will be offered to explain security responsibility to all UF faculty, staff and students as they enter the UF system. Other training opportunities include Peer Training, security Web seminars, and professional on-site security training. Also, Ron Schoenau and Kathy Bergsma, IT Security Coordinator, are available to help units address security issues.

Security is an ongoing and rapidly changing issue for any organization dependent on information resources, perhaps none more so than universities.

With this in mind, I expect this policy document to continue to evolve and I look forward to working with all units to provide the highest level of security. When all is said and done, security must be a primary goal and obligation for all of us.