This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for business continuity planning to ensure that the FSU infrastructure is as secure and resilient as it can be. Business Impact Analysis, data backup and IT disaster recovery planning to are critical for facilitating continuity, restoration and timely recovery IT systems that support access to FSU’s critical business functions and data.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.
Business Impact Analysis (BIA) – identifies critical business functions and documents the potential impacts resulting from disruption.
Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Continuity of Operations Plan (COOP) – a COOP focuses on restoring an organization’s mission-essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. Minor threats or disruptions that do not require relocation to an alternate site are typically not addressed in a COOP.
Critical Business Functions - critical operational and/or business support functions that cannot be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing University operations.
Disaster Recovery Plan – a written plan that defines technical activities that enable the continued availability or recovery of IT systems and services to an acceptable level of performance. A DR Plan is used to address major disruptions to service that deny access to the primary facility infrastructure for an extended period.
Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Mission Critical – any factor (component, equipment, personnel, process, procedure, software, etc.) that is essential to business operations. Mission Critical IT systems and data enable essential IT functions that would have an immediate detrimental effect on the University and CUUs if there was an interruption or failure of services including, but not limited to, one or more of the following:
- Risk to human life or safety
- Significant impact on the University’s research, learning and teaching, and administrative functions
- Significant legal, regulatory, or financial costs
- Loss of access to critical data or the ability to carry out critical business functions following an event
Tabletop Exercise – a discussion-based simulation of an emergency situation in an informal, stress-free environment; designed to elicit constructive scenario-based discussions.
Full IT Glossary
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity and the NIST Privacy Framework in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
|Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.||ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value|
|ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established|
|Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.||ID.BE-4: Dependencies and critical functions for delivery of critical services are established|
|ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)|
|Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.||ID.RM-2: Organizational risk tolerance is determined and clearly expressed|
|Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.||PR.IP-4: Backups of information are conducted, maintained, and tested|
|PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed|
|PR.IP-10: Response and recovery plans are tested|
|Recover (RC)||Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.||RC.RP-1: Recovery plan is executed during or after a cybersecurity incident|
|Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.||RC.IM-1: Recovery plans incorporate lessons learned|
|Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).||RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams|
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers, servers, workstations, IoT devices, applications, databases, operating systems, and firmware.
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on classification level identified by the Data Security Standard.
For more information, see IT Roles and Responsibilities.
Business Impact Analysis (BIA)
To protect against the loss of data in the event of a physical disaster (natural or manmade), database corruption, hardware or software failure, or other incident which may lead to the loss of services or data, CUUs are required to conduct Business Continuity and IT Disaster Recovery (DR) Planning.
Business Continuity planning includes conducting a Business Impact Analysis (BIA) to address availability of essential business functions and vital infrastructure:
- Determine mission critical business processes and recovery time. Critical business processes must be identified, and the impact of a system disruption to those processes must be determined along with outage impacts and estimated downtime. The estimated downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission.
- Identify resource requirements. Realistic recovery efforts require an evaluation of the critical resources required to resume the critical business processes and related interdependencies as quickly as possible. Resources that may be required include facilities, personnel, IT systems, services, infrastructure (equipment, software, data files, system components, etc.), and essential records.
- Identify recovery priorities for system resources. Priority levels can be established for sequencing recovery activities and resources.
Disaster Recovery Plan
IT disaster recovery planning is the ongoing process of planning, developing, implementing, and testing disaster recovery management procedures and processes to ensure the efficient and effective resumption of critical functions in the event of an unscheduled interruption. This planning ensures that all essential business functions, resources, IT systems, and supporting technology infrastructure that must be available to enable the university to continue critical operations have been identified and prioritized. FSU data and systems essential to the continued operation of critical University functions must be recoverable through the use of backup, replication, high availability, or other technology. System dependencies and risks must be identified and accounted for when developing the order of recovery, establishing tolerance for downtime and recovery objectives, and documenting the roles of required personnel.
The CUU Dean, Director or Department Head (DDDH) is responsible for ensuring appropriate contingency planning related to critical business functions within the CUU’s university units, that if disrupted could:
- impede the university’s ability to meet its mission and/or strategic goals,
- have a major financial or reputational impact, or
- result in significant regulatory or contractual noncompliance.
CUU ISMs are responsible for coordinating disaster recovery planning, testing and implementation efforts for the IT resources identified as critical to the CUU’s Continuity of Operations (COOP). IT Asset Custodians who manage mission critical IT Assets that support critical CUU business functions are responsible for identifying critical IT Assets in their BIA and all necessary contingency planning related to those assets. This includes:
- identifying and prioritizing essential business functions, facilities, and infrastructure that are most vital to operations.
- understanding the adverse impacts (fiscal, operational, reputational, safety) if such capabilities are not available.
- identifying the IT systems, data, services, and personnel required to enable required capabilities.
- determining when systems & services need to be available. (Recovery Times)
Disaster Recover Plans, BIAs and other required contingency planning documentation must be made available upon request to ISPO and ITS.
CUUs will complete DR plans regularly, on a rotating schedule. See Seminole Secure Schedule for more information on requirements for completion.
See Seminole Secure for more information.
Review, Test and Validate DR Plans
IT Disaster Recovery Plans must be reviewed and tested at least annually or whenever significant system architecture or personnel changes occur. Plans must be tested on an annual basis and updated to document lessons learned and remediation steps to address plan weaknesses.
Training and Awareness
Each CUU must identify the responsibilities associated with IT Disaster Recovery to ensure that staff understand their roles and are capable of carrying out their responsibilities in the event a recovery is necessary. The Information Security and Privacy Office (ISPO) will partner with CUUs to assist with the onboarding of tools and to provide training and support for IT Disaster Recovery activities.
For more information, see IT Security and Privacy Training Standard.
Data Backup Requirements
Information on recurring backup procedures for critical data and IT Assets must be included in each CUU’s written business continuity plans. Backups are required for all data, systems and infrastructure necessary to support the recovery and resumption of essential business operations identified by the BIA, COOP, and DR plan. This applies to all University Units/CCUs and third-party vendors who use computing devices connected to the FSU network, or who process or store critical data owned by the University. CUU/University Unit ISMs are responsible for ensuring adequate data backup procedures for the data required to be backed up.
The responsibility for backing up data held on the workstations of individuals, regardless of whether they are owned privately or by the university, falls entirely to the user. Data stored on workstations and other devices or locations under the user’s control must be routinely backed up by the user. University users should consult their CUU ISM about local back-up procedures. It is the responsibility of units, research programs, and individual faculty, staff, and workforce members within each CUU to:
- Classify institutional data based on data classifications as defined by the Data Security Standard and determine the backup method best suited to their classification level
- Identify primary responsibility within the CUU or research program for data backup; appropriate roles and responsibilities must be defined for data backup and restoration to ensure timeliness and accountability
- Ensure backups containing information classified as High Risk and Moderate Risk Data are encrypted-in-transit and at rest, as defined by the Encryption Standard.
- Ensure backups are secure, regularly validated, and accessible, and created using a methodology and frequency that meets the desired recovery (RTO, RPO).
Information Technology Services (ITS) is responsible for the backup of data held in central systems and related databases. Data stored on shared directories are routinely backed up by ITS.
All backups must conform to the following best practice procedures:
- All data, operating systems and utility files must be adequately and systematically backed up (includes all patches, fixes, and updates).
- Records must be maintained identifying the information backed up and its location.
- Records of software licensing should be backed up.
- Backup media must be precisely labeled and recorded.
- Ensure backups containing information classified as High Risk and Moderate Risk Data are encrypted in transit and at rest.
- Copies of the backup media, together with the backup record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site.
- Regular tests should be conducted for restoring data/software from backup copies to ensure reliability.
Note: For most important and time-critical data, a mirror system or disk may be needed for a quick recovery.