University’s Policy Regarding Access to the UF Network for Projects Involving Export Controlled Data and/or Software: UF Network Access Approval Process and Form
Dr. Winfred M. Phillips, Vice President for Research
This memorandum updates the University of Florida’s policies on compliance with U.S. export control laws and regulations as issued under the May 19, 2008 DDD. Specifically, the existing policy prohibiting network connections is confirmed, but an exception process allows those working with export controlled information and software who obtain approval and comply with special security controls to access the UF Network via an Export Control Network Computer (hereinafter referred as ECNC).
Under the May 19, 2008 DDD, the section addressing Computer Security and Export Controls specifically stated:
Pay Attention To Computer Security and Export Controls.
One area that has caused unintended compliance problems is computer security. If you receive export-controlled information, you are responsible for having a DSR-approved security plan in place to safeguard the information from unauthorized access. Export controlled information should never be stored on a computer that is connected to the University intranet or to the Internet. Only individuals who are permitted access to the controlled information in compliance with applicable controls should be able to access the computer. A plan should be in place to secure the computer and to address what happens if the computer fails and the information must be transferred to another computer. It is critical that, even in an emergency, the information is safeguarded.
The above is still the general rule, however; under this new UF Network Access Approval Process DDD dated September 13, 2010, the University will allow connection to the UF Network by ECNC. Prior approval will be required from the Department Chair (or College Dean in circumstances where the PI is also the Chair) and the Director of Sponsored Research and Compliance.
In order to obtain approval to access the UF Network, the PI must complete the UF Network Access Approval Form (Attachment 1), obtain all the required signatures and must comply with all the security controls required by this policy exception. As part of this approval process the ECNC must meet specific security requirements as outlined in the Export Control Network Computer Policy (ECNCP) (Attachment 2) which includes among other requirements an audit of the ECNC by UF Information Security and Compliance before receiving or storing export controlled data and on an annual basis. Also, audits by the PI’s Department IT personnel must be performed on a quarterly basis.
Thank you for your attention and assistance in this important matter.