This Standard supports and supplements FSU Technology Policies. It defines security and privacy requirements and best practices for implementing controls that will protect the confidentiality, integrity, and availability of FSU information. Institutional Information will be inventoried, classified, and managed based on the level of sensitivity, criticality, and potential for misuse of the information. This standard applies to all data accessed, collected, stored, processed, or transmitted by users. All users of FSU IT resources have an obligation to protect institutional data.
Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the Request for Exception to IT Security Policy.
In addition to FSU IT policies and standards, laws and regulations governing the protection of university data resources include, but are not limited to:
- Personally Identifiable Information (PII)
- Payment Card Industry Data Security Standard (PCI DSS) – credit card information
- Family Educational Rights and Privacy Act (FERPA) - student educational information
- Health Insurance Portability and Accountability Act (HIPAA) - personal health information
- 15 U.S.C. 6801, implemented by 16 CFR Part 314, The Gramm Leach Bliley Act (GLB Act) – customers’ personal financial information
- Chapter 119.071, Florida Statutes - Florida Public Records
- Chapter 501.171, Florida Statutes – Security of Confidential Personal Information
Availability – the principle that authorized users have timely and reliable access to information and IT resources.
Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Confidentiality – the principle that information is accessible only to those authorized (authorized access).
FSU Data – data created or received by data users while acting on behalf of FSU. Does not include intellectual property which by law, copyright or other policies is owned, licensed or otherwise legally controlled by a data user.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Integrity – the principle that assures information remains intact, correct, authentic, accurate and complete. Integrity involves preventing unauthorized and improper creation, modification, or destruction of information.
Full IT Glossary
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity and the NIST Privacy Framework in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
|Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.||ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value|
|Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.||ID.RA-4: Potential business impacts and likelihoods are identified|
|ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk|
|Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.||PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition|
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources.
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, servers, applications, databases, and operating systems. For more information, see IT Roles and Responsibilities.
Data security includes inventorying, classifying, monitoring, and managing data appropriately to determine the susceptibility to risk or exploit and the level of protection required to comply with policies and standards. Risk level is determined by factors including, but not limited to:
- the sensitivity and risk of harm to individuals or FSU if the data is subject to a breach or unauthorized disclosure
- failure or loss of availability of a critical business function that depends on the data
- loss of productivity or other negative impacts to resources
CUU Privacy Coordinators are responsible for coordinating with University Units to ensure compliance with the requirements of this standard. University Unit Privacy Coordinators are responsible for ensuring data identification, classification and documentation of data as defined by this standard. Documentation shall include identification of associated IT resources, Data Custodians, and staff with authorized access to High Risk or Moderate Risk data. Additional requirements for access to High Risk and Moderate Risk data are defined by the IT Access, Authorization and Authentication Standard.
Data Custodians are responsible for establishing and maintaining an accurate, detailed, and up-to-date Data Inventory of all source data and datasets for which he/she is responsible that meet the following criteria:
- all datasets that include enterprise data and any other data for which FSU business processes are dependent
- all datasets that include High Risk and Moderate Risk data, as defined by Data Classification below, and are covered by FSU security and privacy policies and standards. Examples include, but are not limited to HIPAA, FERPA, GLB, PCI, financial, etc.
- all datasets that include information protected by third-party contracts, agreements, licenses, etc.
- all datasets that include information protected by legal provisions
For more information, see Examples of Datasets and Data Inventory Template.
In conjunction with the Data Inventory, Data Custodians are responsible for classifying data for which they are responsible according to risk levels, as defined by this standard. The classification of information determines the baseline security protections and controls that are appropriate and required to protect the confidentiality, integrity, and availability of data. Risk-based data classification is the basis for requirements outlined by FSU policies, standards, and guidelines for protection of information and systems. The risk level assigned to data accessed, created, stored, processed, or transmitted determines the minimum-security standards applicable for all FSU technology resources, and is referenced when appropriate by FSU’s IT policies and standards. Data Classifications reflect the expected risk of harm to individuals and the university if the information were to be subject to unauthorized access or disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, and/or other ramifications to individuals or the university.
FSU’s Data Classification system consists of three levels of risk to organizational operations, assets, or individuals:
High Risk – severe or catastrophic adverse effects could be expected
Data that is collected, developed, maintained, or managed by or on behalf of FSU and is protected by law, contracts, university patents or to mitigate institutional risks is defined as High RIsk. Any information that could, if exposed, create civil or criminal penalties, reputational damage, or loss of protected intellectual property.
Examples include, but are not limited to:
- Personally Identifiable Information (PII) such as Social Security Number, Driver license or identification card number, passport number, health insurance policy number, military identification number, government documents or any other information that can be used to identify an individual
- Student Information (FERPA)
- Financial information such as Credit Card and Bank Account information (PCI DSS)
- Student Financial Aid information (GLBA)
- Personal data
- Certain Research information
- Human subject research
- Health Information, including Protected Health Information (PHI)
- Computer passwords
- FSU information exempt from public disclosure under the provisions of FS Chapter 119, Public Records
Moderate Risk – serious adverse effects could be expected
Moderate Risk data is information which is not specifically protected by legal or contractual mandates but for which unauthorized access or modification could cause financial loss, damage to FSU’s reputation, violate an individual’s privacy rights, or make legal action necessary.
Examples include, but are not limited to:
- Name, in combination with one or more other data elements that potentially reveals personal identity (date of birth, phone number, home address, etc.)
- Academic course exams
- Course evaluations
- Personal notes on students held by faculty/staff that are not considered part of a student’s official record
- Purchasing responses to solicitation requests
- Trade secrets or intellectual property such as research activities
- Strategy documents and information used to secure the university’s physical or information environment
Every unit and individual must exercise due diligence to protect High Risk and Moderate Risk information.
Low Risk – limited adverse effects could be expected
Low Risk data is information not classified as High or Moderate Risk that is designated as publicly available, without requiring the specific information custodian’s approval. Low Risk data does not expose FSU to financial loss or jeopardize the security of IT Assets or physical security.
Examples include, but are not limited to:
- Course information and materials
- Official statements and press releases
- Public-facing websites
- Directory data not designated as private
- Unrestricted research data
For more examples, refer to FSU Data Classifications.
Data Custodians and other technology staff who administer technology resources that access, collect, store, process or transmit High Risk or Moderate Risk data are responsible for establishing and maintaining data management processes that address security and privacy requirements based on data classification and FSU security policies and supporting standards. Technology staff include, but are not limited to CUU and University ISMs, CUU and Unit Privacy Coordinators, Data Custodians, Data Managers, Application Custodians, IT Asset Custodians, etc.
Compliance with Security and Privacy Policies and Standards
CUUs are responsible for establishing and maintaining an information privacy program and data security based on the Data Inventory and Data Classification associated with IT Assets. Processes shall be established to:
- Ensure compliance with security and privacy IT policies and standards. If any data in a dataset contains High Risk or Moderate Risk data, the dataset must be classified and treated as that risk level. Any data not yet classified will be considered High or Moderate Risk until classification is assigned. Any questions about classification or handling of data should be directed to the appropriate Data Custodian. For more information, refer to Information Privacy Standard.
- Secure devices based on security standards – All devices for which data users have access must be configured to meet the minimum standards as defined by the Data Classification risk level of the data for which he/she has access. Refer to supporting standards.
- Secure Configurations - Data Custodians and Data Managers, in conjunction with their CUU and University Unit ISM and CUU and University Unit Privacy Coordinator, are responsible for ensuring that data is properly protected and complies with IT Security Configuration Management Standard controls.
- Authorize appropriate access to data users – Data Custodians are responsible for authorizing access to users for systems and data based on the minimum access sufficient to complete job responsibilities or other authorized activities. Refer to the IT Access, Authorization and Authentication Standard.
- Address changes in Access to Data Security Levels – Data Custodians and Data Managers are responsible for ensuring that any changes in a data user’s role results in appropriate corresponding changes in access requirements.
- Encrypt data classified as High Risk and Moderate Risk as defined by the Encryption Standard. This includes backups or copies of data classified as High Risk and Moderate Risk.
- Ensure disaster recovery planning and capabilities for data and systems supporting essential business functions that must be resumed during any major disruptions, as defined by the Disaster Recovery Planning Standard.
- Ensure proper disposal and sanitization of electronic data and media, as defined by the IT Data Disposal and Media Sanitization Standard.
- Ensure compliance of resources managed through third-party vendor agreements, as defined by the IT Third-Party Management Standard.
- Confirm Application Security Compliance – Data Custodians and Data Managers are responsible for identifying the appropriate Data Classification requirements associated with applications. Application Custodians are responsible for ensuring that data users are assigned the appropriate level of access to applications based on Data Classification.
- Report Incidents – Incidents involving confirmed or suspected unauthorized access to FSU information must be immediately reported according to the IT Incident Response Standard.
- Review and update documentation as needed to reflect changes that could impact security and privacy.