Skip to main content
Florida State University Home Florida State University Home

FSU | Information Technology Services

  • Webmail
  • Search FSU
  • Navigation

  • Home
  • Services
  • Cybersecurity
    • Phish Tank
    • Protect Yourself
    • Protect FSU
    • Standards
  • Research
    • Governance
    • RCC User Accounts
    • RCC Account Login
    • RCC Documentation
    • RCC Training
  • About ITS
    • Leadership
    • Planning
    • Initiatives
    • Partnerships
    • News
    • Publications
    • Metrics
    • Policies
    • Contact
  • Help
    • myFSU Service Center
    • Classroom Support
    • IT Support
    • Training
    • FAQs
  • Academics
  • Admissions
  • Research
  • Faculty
  • Students
  • Veterans
  • Support FSU
Information Technology Services

  • Home
  • Services
  • Cybersecurity
    • Phish Tank
    • Protect Yourself
    • Protect FSU
    • Standards
  • Research
    • Governance
    • RCC User Accounts
    • RCC Account Login
    • RCC Documentation
    • RCC Training
  • About ITS
    • Leadership
    • Planning
    • Initiatives
    • Partnerships
    • News
    • Publications
    • Metrics
    • Policies
    • Contact
  • Help
    • myFSU Service Center
    • Classroom Support
    • IT Support
    • Training
    • FAQs
  1. Home
  2. Cybersecurity
  3. Standards
  4. 4-OP-H-25.19 Defining Consolidated University Units Standard

4-OP-H-25.19 Defining Consolidated University Units Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies. This standard identifies an IT security and privacy organizational structure and establishes roles and responsibilities to facilitate more effective university-wide IT risk management across hundreds of FSU units.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

II. Definitions

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Mission Critical – any factor (component, equipment, personnel, process, procedure, software, etc.) that is essential to business operations. Mission Critical IT systems and data enable essential IT functions that would have an immediate detrimental effect on the University and CUUs if there was an interruption or failure of services including, but not limited to, one or more of the following:

  • Risk to human life or safety
  • Significant impact on the University’s research, learning and teaching, and administrative functions
  • Significant legal, regulatory, or financial costs
  • Loss of access to critical data or the ability to carry out critical business functions following an event

University Unit – a school or college and any departments or divisions which are a subdivision of a college or school; centers, facilities, labs, libraries, or programs within a college or school, or as an independent entity; offices; associations; and administrative units.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.

Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.

Responsibilities include, but are not limited to:

  • Ensure compliance with IT policies, standards, and guidelines for the units within the CUU.
  • Designate and authorize a CUU Information Security Manager (ISM) who will act as liaison for University Unit ISMs to facilitate security compliance activities among the units. The CUU ISM will provide a central point of contact for the CUU and support unit ISMs as needed for security-related issues across the CUU. Responsibilities related to the CUU ISM’s security duties must be documented as part of the position description.
  • Designate and authorize a CUU Privacy Coordinator who will act as liaison for University Unit Privacy Coordinators to facilitate privacy compliance activities among the units. The CUU Privacy Coordinator will provide a central point of contact for the CUU and support unit Privacy Coordinators as needed for privacy-related issues across the CUU. Responsibilities related to the CUU Privacy Coordinator’s privacy duties must be documented as part of the position description.
  • Notify the CISO at security@fsu.edu regarding any changes to the CUU ISM or CUU Privacy Coordinator within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the CUU DDDH will act as liaison to ISPO until a permanent replacement is identified. Notification must be sent from the CUU DDDH’s FSU email address.
  • Review, approve and submit exception requests for all units within the CUU to the CISO, based on the 4-OP-H-25.20 Request for Exception to IT Security Policy. Ensure any compensating controls approved are properly implemented and maintained.

Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.

Responsibilities include, but are not limited to:

  • Ensure compliance with IT policies, standards, and guidelines for the units within the CUU.
  • Ensure the CUU’s information security program according to IT Security Policies, Standards, Procedures and Guidelines.
  • Ensure appropriate compliance and security controls within the CUU.
  • Ensure identity and contact information on file with ISPO is current for all Unit ISMs appointed by University Unit DDDHs.  The CISO shall be notified at security@fsu.edu regarding any changes to Unit ISMs within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the CUU ISM will act as liaison to ISPO on security matters until a permanent Unit ISM is identified.  Notifications to the CISO must be sent from the CUU ISM’s FSU email address.
  • Facilitate 4-OP-H-25.20 Request for Exceptions to Security Policy for requestors within the CUU.   Request approval by the CUU DDDH and submit to the CISO for final determination. If approved, ensure that appropriate mitigation and compensating controls are properly implemented and monitored for compliance as agreed upon.
  • Immediately report suspected or confirmed computer incidents to ISPO at security@fsu.edu, according to the 4-OP-H-25.11 IT Incident Response Standard.

Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.

Responsibilities related to this Standard include, but are not limited to:

  • Ensure compliance with IT policies, standards, and guidelines for the units within the CUU.
  • Maintain the CUU’s information privacy program according to IT Security and Privacy Policies, Standards, Procedures and Guidelines.
  • Ensure identity and contact information on file with ISPO is current for all Unit Privacy Coordinators appointed by University Unit DDDHs.  The CISO shall be notified at security@fsu.edu regarding any changes to University Unit Privacy Coordinators within 5 business days of the position being vacated or filled.  If no interim is appointed during a vacancy, the CUU Privacy Coordinator will act as liaison to ISPO on privacy matters until a permanent Unit Privacy Coordinator is identified.  Notifications to the CISO must be sent from the CUU Privacy Coordinator’s FSU email address.
  • Work with the CUU and University Unit ISMs and Data Custodians to coordinate the implementation of electronic and physical controls for information classified as High Risk or Moderate Risk to ensure they meet legislated or contracted privacy requirements.

University Unit Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit.  The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program. Responsibilities of the University Unit DDDH are the same as the CUU DDDH but apply to the University Unit.

  • Ensure compliance with IT policies, standards, and guidelines for the unit.
  • Designate a University Unit Information Security Manager (ISM) who will manage the security program for the unit.  Responsibilities related to the University Unit ISM’s security duties must be documented as part of the position description.
  • Designate and authorize a University Unit Privacy Coordinator who will manage the privacy program for the unit.  Responsibilities related to the Unit Privacy Coordinator’s privacy duties must be documented as part of the position description.
  • Notify the CISO at security@fsu.edu regarding any changes to the University Unit ISM or University Unit Privacy Coordinator within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the Unit DDDH will act as liaison to ISPO until a permanent replacement is identified.  Notification must be sent from the Unit DDDH’s FSU email address.
  • Review and approve exception requests for the unit, based on the 4-OP-H-25.20 Request for Exception to IT Security Policy. Ensure any compensating controls approved are properly implemented and maintained within the unit.

University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program. Responsibilities of the University Unit ISM are the same as the CUU ISM but apply to the University Unit.

Responsibilities related to this Standard include, but are not limited to:

  • Ensure compliance with IT policies, standards, and guidelines for the units within the CUU.
  • Manage the unit’s information security program according to IT Security Policies, Standards, Procedures and Guidelines.
  • Ensure appropriate compliance and security controls within the unit.
  • Coordinate requests for exceptions to security policies for requestors within the unit.   Request approval by the University Unit DDDH and work through the CUU ISM as defined by the 4-OP-H-25.20 Request for Exceptions to Security Policy.  If approved, ensure that appropriate mitigation and compensating controls are properly implemented and monitored for compliance as agreed upon.
  • Immediately report suspected or confirmed computer incidents to ISPO at security@fsu.edu, according to the 4-OP-H-25.11 IT Incident Response Standard.

University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.  Responsibilities of the University Unit Privacy Coordinator are the same as the CUU Privacy Coordinator but apply to the University Unit.

Responsibilities include, but are not limited to:

  • Manage the unit’s information privacy program according to IT Security and Privacy Policies, Standards, Procedures and Guidelines.
  • Ensure information identification, classification and documentation of all unit data as defined by the 4-OP-H-25.01 Data Security Standard.
  • Assist the unit in meeting privacy controls, including legislated or contractual controls.


For more information, see IT Roles and Responsibilities.

CONSOLIDATED UNIVERSITY UNITS

The Vice President for Finance and Administration and the University Provost, or other University executive management they designate, have identified University Units with mission critical business functions that if disrupted may impede the University’s ability to meet its mission and/or strategic goals, may have a major financial or reputational impact, or may result in significant regulatory or contractual noncompliance.  Related units have been designated as Consolidated University Units (CUUs), where feasible, to align with the University’s organizational structure and the functions they provide for their parent organization.

CUUs provide a central point of contact and promote more effective IT security and privacy practices, collaboration, communication, consistency, and compliance among the units within the CUU. The CUU also plays a key role in activities related to the Seminole Secure program and its required deliverables.  For more information, see:

  • Seminole Secure | Information Technology Services
  • 4-OP-H-25.18 Risk Management Standard
  • 4-OP-H-25.12 Disaster Recovery Planning Standard
  • 4-OP-H-25.09 IT Vulnerability Management Standard
  • 4-OP-H-25.11 IT Incident Response Standard

CUU DDDHs have been identified for each CUU and delegated the authority and responsibility for ensuring the security and privacy programs for their CUU.

For systems and services provided through partnerships with Information Technology Services (ITS), CUUs and University Units are responsible for ensuring compliance with all FSU Technology Policies and Standards.

For a list of all CUUs  and their assigned University Units, see List of IT Consolidated University Units.

IV. References

  • NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST 800-53 Controls

Back to Top | Back to Standards

  • Contact Us
    •    FSU Service Status
    •   myFSU Service Center
    •   850-644-4357
    •  Chat
    •   M-F 8AM-5PM
  • Students
  • Faculty
  • FSU ITS
  •   Staff  
  •  IT Pros 
  •  Facebook
  •  Instagram
  •  Twitter
  •  YouTube
  •  LinkedIn

Information Technology Services · 1721 W Paul Dirac Drive · Tallahassee, FL 32310

© Florida State University
Tallahassee, FL 32306

FSU Directory Assistance
Questions or Comments

Privacy Policy
Copyright

  • Like Florida State on Facebook
  • Follow Florida State on Instagram
  • Follow Florida State on X
  • Follow Florida State on Youtube
  • Connect with Florida State on LinkedIn
  • More FSU Social Media