I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It establishes requirements for the use of personally owned devices that connect to FSU technology resources and/or data, conduct FSU business, or interact with internal networks and business systems. Devices include, but are not limited to smartphones, tablets, laptops, notebooks, etc.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Bring Your Own Device (BYOD) – refers to personally used devices for access to university IT resources.
High Risk Data – data that is collected, developed, maintained, or managed by or on behalf of FSU and is protected by law, contracts, university patents, or to mitigate institutional risks. Any information that could, if exposed, create civil or criminal penalties, reputational damage, or loss of protected intellectual property.
IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems owned, managed, or sponsored by IT Asset Custodians.
Moderate Risk Data – information that is not explicitly protected by legal or contractual mandates but for which unauthorized access or a modification could cause financial loss, damage to FSU's reputation, violate an individual's privacy rights or make legal action necessary.
Personally Owned Device - any non-FSU owned smartphone, tablet, laptop, notebook, or other IT device used to access technology resources.
Full IT Glossary
III. Standard
FSU has adopted the NIST Cybersecurity Framework (CSF) 2.0 as the foundation for a risk-based approach to cybersecurity management. CSF uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and best practices to establish baseline expectations for cybersecurity for all University Units.
University Units are responsible for using this framework to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Functions supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework 2.0
| Function | Category |
| Protect (PR) |
Data Security (PR.DS): Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information |
| Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access | |
| Platform Security (PR.PS): The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability | |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the university. The CISO reports to the FSU Chief Information Officer and the Provost and also serves as the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for establishing and enforcing the application of appropriate operational security controls necessary to protect the network.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers, servers, workstations, IoT devices, applications, databases, operating systems, and firmware.
For more information, see IT Roles and Responsibilities.
User Responsibilities
Users accessing university technology resources with personal devices are responsible for protecting IT Assets from unauthorized access, loss, alteration, damage and other threats or attacks. Additionally, users are responsible for all activities conducted by their account and for any resulting damages or criminal/civil charges while connected.
FSU is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices, including loss, theft, or damage.
University units may implement additional limits on personal use of devices beyond the parameters of this standard. Any additional limits must be documented and communicated to users and the Information Security and Privacy Office (ISPO).
Individuals using a personal device to access FSU IT data and resources shall:
- Comply with all applicable federal, state, and local laws, and FSU Policies and supplemental Standards in their use of FSU’s IT resources.
- Ensure physical security of the device to prevent loss or theft of any device with stored FSU data. For any lost or stolen device containing FSUID credentials, the owner is required to promptly change the associated FSU credentials and report the incident to the University Unit ISM.
- Configure the device for inactivity (lock), session termination, and an active form of access protection such as a pin/passcode, facial recognition, fingerprint, etc. Password construction must meet FSU minimum requirements, as defined by 4-OP-H-25.07 Access, Authorization and Authentication Standard.
- Run a manufacturer-supported Operating System that is patched and updated regularly.
- Destroy, remove, or return any FSU data no longer required by the user for FSU business (i.e. separation from FSU, changing job duties, no longer the primary user of the device).
Individuals using a personal device to access FSU IT data and resources shall not:
- Access or download High Risk or Moderate Risk data as defined by 4-OP-H-25.01 Data Security Standard.
- Download software licensed to FSU unless specifically permitted by the license.
- Use the personal device as the primary means to create, store, send or receive FSU data. FSU’s ITS-provided email system is the official means of communication for the university. Faculty, staff, third-party staff, and students are required to conduct FSU business from their FSU assigned email address containing the fsu.edu domain.
- Disrupt the use or function of the FSU network or other IT Assets.
- Use the personal device as an FSU server or networking device.
In accordance with Florida law, FSU blocks access to prohibited applications, websites, and technologies on university devices or personal devices while using FSU’s Wi-Fi, virtual private network, and any network FSU owns, operates, or maintains. Refer to the 4-OP-H-21 Acceptable Use of Technology Policy.
Access to the FSU network is contingent upon compliance with IT Security and Privacy Policies and Standards. The Chief Information Security Officer (CISO) may restrict network access for non-compliance.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
