This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. FSU engages in research, teaching, clinical services, administrative and other educational activities that encompass a large variety and volume of information. Supporting these institutional missions requires sharing access to applications and data across multiple systems. Enterprise application integration, which includes use of Application Programming Interfaces (APIs) and remote data access between systems and other database links, connects and integrates enterprise systems with applications across the University that may be based on different technologies. Systems, databases, applications, and APIs that access or accept information transferred via integrations must handle and store data in compliance with IT policies and standards.
This Standard provides information security requirements for integration with enterprise systems and data in order to:
- integrate security across applications and systems by implementing specific privacy and security safeguards.
- minimize the vulnerability of enterprise systems to external attacks, unauthorized disclosure of information, or unauthorized access to administrative interfaces or system configurations.
- reduce the risk of threats to institutional data from misuse of the credentials used to facilitate access (integration) between applications and enterprise systems.
Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the Request for Exception to IT Security Policy.
Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Full IT Glossary
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
|Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.||ID.AM-4: External information systems are catalogued|
|Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.||PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes|
|PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties|
|Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.||PR.IP-7: Protection processes are improved|
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Dean, Director or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit. The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the Data Security Standard.
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
For more information, see IT Roles and Responsibilities.
Access To Enterprise Data
This Standard identifies requirements for application and data integration based on the classification of the data being processed, stored, and transmitted as defined by the Data Security Standard.
The Application Custodian is responsible for the security of data, applications and APIs that access or accept transferred High Risk or Moderate Risk data as a result of an enterprise integration request. Application Custodians may delegate functions to authorized users, but accountability remains with the Custodian.
Requests For Enterprise Application and Data Integration
Application Custodians requesting integration with enterprise applications and data must:
- Submit a request documenting a business justification when requesting integration, which shall include: a brief explanation of the University function that will be supported by the integration; a list of any data elements that will be transferred via the integration; the classification level of each data element; and an explanation of how data received via the integration will be used and who will have access to the data as a result of the integration. Access to data and functionality should be constrained to documented use cases and roles.
- Coordinate with the requestor’s University Unit ISM to obtain written approval from the University Unit DDDH for the Enterprise Data Access Request.
- Ensure only individuals authorized by the Enterprise Data Access Request for the enterprise system will be granted the credentials that permit access via the integration. Access must be granted with the least privilege, and for the minimum duration needed for the integration.
- Ensure data made available via the integration is not redistributed or made available beyond what was documented in the business justification.
- Ensure appropriate and secure transmission of data as defined by the IT Encryption Standard.
- Maintain the security of any credentials issued to facilitate the integration. This includes requesting credentials be changed or revoked if their confidentiality has been compromised either through normal activity (such as employee termination), malicious activity, or when the credential is no longer needed.
Providers Of Enterprise Application and Data Integration
Application and Data Custodians authorizing integration with enterprise applications and data must:
- Review business justifications for integration requests and provide approval for access prior to making it available via the integration. Notify the University Unit DDDH and ISM of any approved requests to provide integration to requesting Units.
- Ensure appropriate and secure transmission of data as defined by the Encryption Standard.
- Maintain an internal, up-to-date list of all active integrations that includes: contact information for the Application Custodian of each application integrated with the enterprise system; a copy of the business justification provided by the Application Custodian; a record of any approvals obtained from Units permitting access or transmission of data via the integration; a list of any credentials associated with the integration, the individuals issued credentials, and the expiration date (if applicable) of the credentials; and the date the information was last reviewed.
- Communicate any changes to the enterprise system that will impact an integration to the custodian of the affected application.
- Provide implementation and security guidance to all individuals granted credentials used for integration.
- Grant the appropriate level of access to the application following the principal of least privilege.
- Communicate the expiration of any credentials to the individuals they were issued to in a timely manner.
- Coordinate the rotation or revocation of credentials used for an integration with the requesting Application Custodian.
Requests for integration with enterprise systems, such as research projects, must meet other applicable institutional compliance requirements, including Institutional Review Boards (IRB). It is the responsibility of the researcher to satisfactorily meet all compliance requirements. For more information, see Research Compliance | FSU Office of Research.
Authoritative Data Source
Data is maintained and updated at the authoritative source in respective FSU enterprise systems.
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at firstname.lastname@example.org. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.