I. Purpose
This Standard supports and supplements FSU Technology Policies. It defines security and privacy requirements and best practices for implementing controls that will protect the confidentiality, integrity, and availability of FSU information. Institutional Information will be inventoried, classified, and managed based on the level of sensitivity, criticality, and potential for misuse of the information. This standard applies to all data accessed, collected, stored, processed, or transmitted by users. All users of FSU IT resources have an obligation to protect institutional data.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Bring Your Own Device (BYOD) – refers to personally used devices for access to university IT resources.
High Risk Data – data that is collected, developed, maintained, or managed by or on behalf of FSU and is protected by law, contracts, university patents, or to mitigate institutional risks. Any information that could, if exposed, create civil or criminal penalties, reputational damage, or loss of protected intellectual property.
IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems owned, managed, or sponsored by IT Asset Custodians.
Moderate Risk Data – information that is not explicitly protected by legal or contractual mandates but for which unauthorized access or a modification could cause financial loss, damage to FSU's reputation, violate an individual's privacy rights or make legal action necessary.
Personally Owned Device - any non-FSU owned smartphone, tablet, laptop, notebook, or other IT device used to access technology resources.
Full IT Glossary
III. Standard
Users accessing university technology resources with personal devices are responsible for protecting IT Assets from unauthorized access, loss, alteration, damage and other threats or attacks. Additionally, users are responsible for all activities conducted by their account and for any resulting damages or criminal/civil charges while connected.
FSU is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices, including loss, theft, or damage.
University units may implement additional limits on personal use of devices beyond the parameters of this standard. Any additional limits must be documented and communicated to users and the Information Security and Privacy Office (ISPO).
Individuals using a personal device to access FSU IT data and resources shall:
- Comply with all applicable federal, state, and local laws, and FSU policies and supplemental standards in their use of FSU’s IT resources.
- Ensure physical security of the device to prevent loss or theft of any device with stored FSU data. For any lost or stolen device containing FSUID credentials, the owner is required to promptly change the associated FSU credentials and report the incident to the University Unit ISM.
- Configure the device for inactivity (lock), session termination, and an active form of access protection such as a pin/passcode, facial recognition, fingerprint, etc. Password construction must meet FSU minimum requirements, as defined in the 4-OP-H-25.07 Access, Authorization and Authentication Standard.
- Run a manufacturer-supported Operating System that is patched and updated regularly.
- Destroy, remove, or return any FSU data no longer required by the user for FSU business (i.e. separation from FSU, changing job duties, no longer the primary user of the device).
Individuals using a personal device to access FSU IT data and resources shall not:
- Access or download High Risk or Moderate Risk data.
- Download software licensed to FSU unless specifically permitted by the license.
- Use the personal device as the primary means to create, store, send or receive FSU data.
- Disrupt the use or function of the FSU network or other IT Assets.
- Use the personal device as an FSU server or networking device.
In accordance with Florida law, FSU blocks access to prohibited applications, websites, and technologies on university devices or personal devices while using FSU’s Wi-Fi, virtual private network, and any network FSU owns, operates, or maintains. Refer to the [Acceptable Use of Technology Policy].
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
