I. Purpose
The following are key roles and responsibilities related to IT Security and Privacy Polices and Standards:
Data Trustees
FSU's executive structure correlates directly with the major categories of university data. The following are Data Trustees for their respective areas of responsibility:
- President
- Executive Vice President for Academic Affairs and Provost
- Vice President for Finance and Administration
- Vice President for Student Affairs
- Associate Vice President for Governmental Relations
- Vice President for Research
- Vice President for University Advancement
Information Security and Privacy Governance Council (ISPGC)
The Florida State University Information Security and Privacy Governance Council (ISPGC) provides strategic direction for university-wide information security and privacy. The ISPGC serves as liaison between the Information Security and Privacy Office (ISPO) and university senior management to ensure that security strategies align with and support business objectives, are consistent with applicable laws and regulations, and manage risk through adherence to policies and internal controls.
Information Technology Governance Council (ITGC)
The ITCC provides advice and recommendations to Information Technology Services (ITS) on institutional IT policy, services, strategies, and priorities. The ITGC ensures that ITS' efforts are aligned with furthering the University FSU Strategic Plan. The ITGC acts as a sounding board representing the community's perspectives and interests.
The ITGC is chaired by the University Provost and is comprised of the Chief Information Officer, several college deans, and several senior academic and administration leaders. Current members of the ITGC are listed in the ITGC Charter and the ITGC Members document.
Privacy and Security Advisory Committee
The Privacy and Security Advisory Committee is made up of the Consolidated University Unit VPs and Managers, as defined by the 5-OP-H-5.1 Procedure for Defining University Units.
Chief Information Officer (CIO) and Information Technology Services (ITS)
ITS is the central IT organization for the university, providing technology and IT support for FSU's educational, research and administrative functions. Services include email, network, voice and web services, specialized applications, etc. ITS is directed by the Chief Information Officer (CIO).
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the university. The CISO reports to the FSU Chief Information Officer and the Provost and also serves as the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Exceptions for any provision of IT Policies or supplemental IT Standards must be approved by the CISO in accordance with the Request for Exception to IT Security Policy.
The CISO has the responsibility and authority to:
- Provide IT security and privacy policies and standards that promote a strategic, university-wide approach to managing IT risks.
- Perform IT Risk Management, as defined by the Risk Management Standard:
- Develop and maintain a standards-based risk assessment methodology.
- Provide guidelines and facilitate risk assessments for CUUs.
- Provide Risk Mitigation support and other follow-up for completed risk assessments.
- Provide education to CUU staff for conducting risk assessments.
- Perform or authorize network security monitoring, intrusion detection/prevention, website scanning, network scanning, penetration testing, and other security procedures as defined by the IT Network Standard.
- Establish and support a university-wide training and awareness program that includes Basic Cybersecurity training and other topics such as phishing, Disaster Recovery and Business Continuity, risk management, vulnerability scanning, etc. as defined by the IT Security and Privacy Training Standard.
- Establish appropriate operational controls necessary to mitigate the risks associated with the unauthorized disclosure, loss, or theft of university information as defined by the IT Access, Authorization and Authentication Standard.
- Oversee the university's Vulnerability Management program. Monitor for malicious activity and issue alerts for known vulnerabilities. The CISO may authorize systems or applications that pose a potential threat to FSU's IT resources to be blocked from the network as defined by the IT Vulnerability Management Standards.
ITS Reviewer
The technology professional(s) designated by the CISO/CIO to review requests and make security and privacy related recommendations for the procurement of technology resources and their compliance with university policies and standards.
Consolidated University Units (CUUs)
A CUU is a consolidated group of related university units that has management authority and responsibility for ensuring compliance with IT policies, standards, and guidelines for the units within the CUU.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Responsibilities include, but are not limited to:
- Ensure compliance with IT policies, standards, and guidelines for the units within the CUU:
- Designate and authorize a CUU Information Security Manager (ISM) who will act as liaison for University Unit ISMs to facilitate security compliance activities among the units. The CUU ISM will provide a central point of contact for the CUU and support unit ISMs as needed for security-related issues across the CUU. Responsibilities related to the CUU ISM's security duties must be documented as part of the position description.
- Designate and authorize a CUU Privacy Coordinator who will act as liaison for University Unit Privacy Coordinators to facilitate privacy compliance activities among the units. The CUU Privacy Coordinator will provide a central point of contact for the CUU and support unit Privacy Coordinators as needed for privacy-related issues across the CUU. Responsibilities related to the CUU Privacy Coordinator's privacy duties must be documented as part of the position description.
- Notify the CISO at security@fsu.edu regarding any changes to the CUU ISM or CUU Privacy Coordinator within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the CUU DDDH will act as liaison to ISPO until a permanent Unit ISM is identified. Notification must be sent from the CUU DDDH's FSU email address.
- Review, approve and submit exception requests for all units within the CUU to the CISO, based on the Request for Exception to IT Security Policy. Ensure any compensating controls approved are properly implemented and maintained.
- Ensure security and privacy training requirements are met for all CUU staff, as defined by the IT Security and Privacy Training Standard.
- Authorize the transfer of High Risk or Moderate Risk data requested by other university units, third-party vendors or to non-university owned portable storage, portable computing devices such as mobile memory devices, laptop computers, tablets or smartphones as defined by the IT Access, Authorization and Authentication Standard.
- Report the effectiveness of vulnerability and remediation activities of the CUU to ISPO and FSU senior management, as defined by the IT Vulnerability Management Standard.
- Ensure appropriate contingency planning for critical business functions within the CUU as defined by the IT Disaster Recovery Planning Standard.
- Ensure that only FSU-approved technology solutions are utilized by CUU users unless an exception is approved which provides appropriate agreements that comply with security and data protection requirements (FSU policy, FERPA, HIPPA, PCI, etc.), as defined by the IT Third-Party Management Standard. Provide written approval for any third-party agreements requested for the CUU. Ensure that procedures are in place to manage third-party vendor engagements in compliance with university policies, standards, and procedures.
- Review and approve CUU requests for integration with enterprise data, as defined by the IT Enterprise Application Integration Standard.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU's information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Responsibilities include, but are not limited to:
- Ensure compliance with IT policies, standards, and guidelines for the units within the CUU:
- Ensure the CUU's information security program according to IT Security Policies, Standards, Procedures and Guidelines.
- Ensure appropriate compliance and security controls within the CUU.
- Ensure identity and contact information on file with ISPO is current for all Unit ISMs appointed by University Unit DDDHs. The CISO shall be notified at security@fsu.edu regarding any changes to Unit ISMs within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the CUU ISM will act as liaison to ISPO on security matters until a permanent ISM is identified. Notifications to the CISO must be sent from the CUU ISM's FSU email address.
- Facilitate Requests for Exceptions to Security Policy for requestors within the CUU. Request approval by the CUU DDDH and submit to the CISO for final determination. If approved, ensure that appropriate mitigation and compensating controls are properly implemented and monitored for compliance as agreed upon.
- Immediately report suspected or confirmed computer incidents to ISPO at security@fsu.edu, according to the IT Incident Response Standard.
- Ensure security configuration management within the units to ensure the FSU infrastructure is resilient. Provide support and oversight to CUU IT Asset Custodians to ensure proper configuration management of all CUU IT Assets, as defined by the IT Security Configuration Management Standard.
- Network, as defined by the Network Security Standard
- Ensure CUU compliance for network controls:
- Document configurations of network devices (routers, switches, firewalls, IPS/S, modems, etc.).
- Maintain up-to-date network diagrams/documentation.
- Implement a change management process to ensure proposed modifications to configurations are reviewed, approved, tracked, and documented.
- Ensure all network device installations are coordinated and approved by ITS. Administration of hardware, software, or applications performed over a network shall be encrypted.
- Ensure network perimeter security measures are in place to prevent unauthorized connections to university IT resources.
- Monitor for unauthorized wireless network access points.
- Register wireless access point hardware, software, and deployment information for authorization by ITS. Upon detection, remove unauthorized wireless access points connected to the FSU network.
- Ensure the FSU wireless environment does not use vendor defaults (e.g., encryption keys, passwords, SNMP community strings, etc.).
- Inform wireless users of security, privacy policies and procedures related to the use of wireless communications.
- In coordination with the CUU Privacy Coordinator, ensure all unit staff, including third-party users receive required information security and privacy training, as defined by the IT Security and Privacy Training Standard. As verification of participation, maintain rosters of participants who have completed required training.
- Ensure compliance for authorization and access to CUU IT resources based on job duties, responsibilities, and classification of data, as defined by the IT Access, Authorization and Authentication Standard.
- Implement access and authorization controls to protect facilities that maintain university information resources from physical and environmental threats. Authorize credentials for facility access and enforce access, as defined by the IT Physical Access Standard.
- CUU ISMs are responsible for ensuring the vulnerability management program for their CUU. CUU ISMs are responsible for ensuring proper vulnerability management is implemented for the IT Assets within the CUU as defined by the IT Vulnerability Management Standard.
- CUU ISMs are responsible for ensuring data log collection, review, and coordination with ITS as needed to comply with the requirements of the Log Collection, Analysis and Retention Standard.
- CUU ISMs are responsible for coordinating disaster recovery planning, testing and implementation efforts for the IT resources identified as critical to the CUU's Continuity of Operations (COOP) as defined by the IT Disaster Recovery Standard.
- Review and facilitate coordination for Third-Party Vendor agreement requests.
- Ensure encryption requirements are met within the CUU for data at rest and data in transit, as defined by the Encryption Standard.
- Ensure appropriate handling of electronic data disposal and media sanitization within the CUU, using the appropriate approved technique, based on the data classification level as defined by the Data Disposal and Media Sanitization Standard.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU's privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
Responsibilities include, but are not limited to:
- Ensure compliance with IT policies, standards, and guidelines for the units within the CUU
- Ensure the CUU's information privacy program according to IT Security Policies, Standards, Procedures and Guidelines:
- Ensure information identification, classification, and documentation of all CUU data including IT resources and associated Data Custodians, as defined by the Data Security Standard.
- Assist the CUU in meeting privacy controls, including legislated or contractual controls.
- defined by the Data Security Standard.
- Assist the CUU in meeting privacy controls, including legislated or contractual controls.
- Ensure identity and contact information on file with ISPO is current for all Unit Privacy Coordinators appointed by University Unit DDDHs. The CISO shall be notified at security@fsu.edu regarding any changes to University Unit Privacy Coordinators within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the CUU Privacy Coordinator will act as liaison to ISPO on privacy matters until a permanent Unit Privacy Coordinator is identified. Notifications to the CISO must be sent from the CUU Privacy Coordinator's FSU email address.
- Ensure that privacy is properly safeguarded and maintain privacy levels according to the requirements based on data risk classification as defined by the Information Privacy Standard. All information must be inventoried, classified, and managed as required by FSU Policies and Standards, based on these risk classification levels.
- In coordination with the CUU ISM, ensure all unit staff, including third-party users receive required information security and privacy training related to safeguarding High Risk and Moderate Risk data, as defined by the IT Security and Privacy Training Standard. As verification of participation, maintain rosters of participants who have completed required training.
- Ensure documentation is maintained related to all positions that require access to High Risk or Moderate Risk data, including agreements acknowledging special confidential controls necessary to meet specific legal or contractual privacy requirements, as defined by the IT Access, Authorization and Authentication Standard.
- Review and facilitate coordination for Third-Party Vendor agreement requests as defined by the IT Third-Party Management Standard. Maintain a current inventory of third-party vendors who have access to High Risk or Moderate Risk information.
University Units
Individual schools, colleges or any departments or divisions which are a subdivision of a Consolidated University Unit (CUU), including colleges or schools; centers, facilities, labs, libraries, or program within a college or school, or an independent entity; offices; associations; and administrative units.
University Unit Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit. The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU's information security program.
Responsibilities include, but are not limited to:
- Ensure compliance with IT policies, standards, and guidelines for the units.
- Designate a University Unit Information Security Manager (ISM) who will manage the security program for the unit. Responsibilities related to the University Unit ISM's security duties must be documented as part of the position description.
- Designate and authorize a University Unit Privacy Coordinator who will manage the privacy program for the unit. Responsibilities related to the Unit Privacy Coordinator's privacy duties must be documented as part of the position description.
- Notify the CISO at security@fsu.edu regarding any changes to the University Unit ISM or University Unit Privacy Coordinator within 5 business days of the position being vacated or filled. If no interim is appointed during a vacancy, the Unit DDDH will act as liaison to ISPO until a permanent replacement is identified. Notification must be sent from the University Unit DDDH's FSU email address.
- Review and approve exception requests for the unit, based on the Request for Exception to IT Security Policy. Ensure any compensating controls approved are properly implemented and maintained within the unit.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit's compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU's information security program.
Responsibilities include, but are not limited to:
- Manage the unit's information security program according to IT Security Policies, Standards, Procedures and Guidelines.
- Ensure appropriate compliance and security controls within the unit.
- Coordinate requests for exceptions to security policies for requestors within the unit. Request approval by the University Unit DDDH and work through the CUU ISM as defined by the Requests for Exceptions to Security Policy. If approved, ensure that appropriate mitigation and compensating controls are properly implemented and monitored for compliance as agreed upon.
- Immediately report suspected or confirmed computer incidents to ISPO at security@fsu.edu, according to the IT Incident Response Standard.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director or Department Head (DDDH) responsible for ensuring a University Unit's compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU's information privacy program.
Responsibilities include, but are not limited to:
- Manage the unit's information privacy program according to IT Security and Privacy Policies, Standards, Procedures and Guidelines.
- Ensure information identification, classification and documentation of all unit data as defined by the Data Security Standard.
- Assist the unit in meeting privacy controls, including legislated or contractual controls.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers. servers, workstations, IoT devices, applications, databases, operating systems, and firmware.
Responsibilities include, but are not limited to:
- Inventory, document, monitor and manage IT Assets for which they are responsible, based on susceptibility to risk or exploit as defined by the IT Security Configuration Management Standard. Ensure that data is properly protected, and IT Assets are properly hardened, monitored, and managed from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning according to Configuration Management controls. Select and tailor appropriate security control baselines for all IT Assets, based on the criticality and sensitivity of the information to be processed, stored, or transmitted by the system.
- Implement an effective vulnerability management program to protect IT Assets for which they are responsible, including patch management, current anti-virus protection and other requirements defined by the IT Vulnerability Management Standard. Scan FSU systems and applications for vulnerabilities at least monthly. Systems, databases, or applications that maintain, process, transmit, or store High Risk or Moderate Risk data, as defined by the Data Security Standard, may have additional requirements.
- Contingency planning for IT Assets that support critical CUU business functions, as defined by the IT Disaster Recovery Standard.
Application Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
Responsibilities include, but are not limited to:
- Identify the appropriate Data Classification requirements associated with applications, as defined by the Data Security Standard to ensure that data users are assigned the appropriate level of access to applications.
- Ensure the security of data, applications and APIs that access or accept transferred High Risk or Moderate Risk data, as defined by the IT Application Secure Coding Standard and the IT Enterprise Application Integration Standard. Authorize integration with enterprise applications and data.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on classification level identified by the Data Security Standard.
Responsibilities include, but are not limited to:
- Establish and maintain an accurate, detailed, and up-to-date Data Inventory of all datasets and data for which the Data Custodian is responsible, as defined by the Data Security Standard.
- Classify data according to risk levels.
- Establish and maintain data management processes that address security and privacy requirements based on data classification, as defined in the Data Security Standard and FSU security policies and supporting standards.
- Provide unit-specific legislated or contracted privacy training on the proper handling of High Risk or Moderate Risk data. This includes training for workers whose duties involve contact with High Risk and Moderate Risk information or the resources that house that information, as defined by the Security and Privacy Training Standard. As verification of participation, maintain rosters of participants who have completed required training.
- Authorize access to systems that create, process, maintain, transmit, or store institutional data based on users' assigned job duties and responsibilities, as defined by the Access, Authorization and Authentication Standard. Authorize the transfer of High Risk or Moderate Risk data requested by other university units, third-party vendors or to non-university owned portable storage, portable computing devices such as mobile memory devices, laptop computers, tablets, or smartphones. Review standard, privileged, and shared accounts regularly to ensure access revocation is taking place and the principle of least privilege is being followed.
- Determine security log requirements and compliance based on data classification. Ensure awareness and compliance with regulatory log collection and analysis requirements related to High Risk and Moderate Risk data, as defined by the IT Log Collection, Analysis and Retention Standard.
- Ensure the security of data, applications and APIs that access or accept transferred High Risk or Moderate Risk data, as defined by the IT Application Secure Coding Standard and the IT Enterprise Application Integration Standard. Authorize integration with enterprise applications and data.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
All Users
All users are accountable for all activities performed by their account.
Every person to whom this policy applies is responsible for:
- safeguarding FSU IT resources.
- understanding the Data Classification of information being stored, transmitted, processed, or otherwise handled to ensure that appropriate action is taken to protect the information in accordance with FSU Security and Privacy Policies and Standards.
- complying with all applicable federal, state, and local laws; and all contractual obligations.
- signing and complying with requirements of the Florida State Employee Memorandum of Understanding addressing access to High Risk or Moderate Risk information (employees).
