I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It identifies baseline security and privacy training requirements for all users, based on users’ roles, responsibilities and their access to FSU data and IT resources.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
FERPA – the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. Florida Statute 1002.22 requires FSU to protect the disclosure and access to student education records in accordance with FERPA.
FIPA – the Florida Information Protection Act (FIPA) protects the security of confidential personal information.
GDPR – the General Data Protection Regulation (GDPR) is the regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA.
HIPAA – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding patient medical information.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
PCI DSS – the Payment Card Industry Data Security Standard defines compliance requirements for any company that accepts, stores, processes, or transmits credit card information that protect the privacy and security of consumers.
Full IT Glossary
III. Standard
FSU has adopted the NIST Cybersecurity Framework (CSF) 2.0 as the foundation for a risk-based approach to cybersecurity management. CSF uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and best practices to establish baseline expectations for cybersecurity for all University Units.
University Units are responsible for using this framework to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Functions supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework 2.0
| Function | Category |
| Protect (PR) |
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness and training so that they can perform their cybersecurity-related tasks. |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the university. The CISO reports to the FSU Chief Information Officer and the Provost and also serves as the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for establishing and enforcing the application of appropriate operational security controls necessary to protect the network.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
For more information, see IT Roles and Responsibilities.
Cybersecurity Awareness and Training
Security and privacy training is required for all faculty, staff and students as defined by this Standard. Access to the FSU network is contingent upon compliance with Policies and Standards. The Chief Information Security Officer (CISO) is authorized to restrict network access for non-compliance.
The CISO is responsible for supporting university-wide security and privacy awareness through training, informative websites, literature, technology forums and awareness campaigns, and other methods. Training includes Basic Cybersecurity training and other topics such as Phishing, Disaster Recovery and Business Continuity, Risk Management, Vulnerability Management, Incident Management, and other specific topics in collaboration with units. All users are required to complete Basic Cybersecurity training annually. Content will include a basic understanding of the need for information security and user actions to maintain security and respond to suspected security incidents. The CISO may also require completion of additional cyber training to remediate non-compliance, lack of awareness of critical cyber concepts (phishing, etc.), or other deficiencies that create increased risk to IT resources.
In coordination with the CUU/University Unit Privacy Coordinator, the CUU/University Unit ISM will ensure their units comply with requirements for training as defined by this standard. ISMs and Privacy Coordinators are responsible for ensuring all unit staff with access to IT resources receive required information security and privacy training from designated providers. This includes staff augmentation resources provided by third-party contractors or other staff with courtesy appointments. Technology workers must complete security and privacy training to ensure competency in their positions, including training on the requirements of IT policies and standards. Technology workers granted administrative rights for IT resources must be properly trained and authorized based on job duties and responsibilities.
As verification of participation, University Unit ISMs and Privacy Coordinators must maintain rosters of participants who have completed required training. Rosters shall be made available upon request.
For more information, see
- https://its.fsu.edu/cybersecurity/protect-yourself
- Security Training & Outreach | Information Technology Services (fsu.edu)
Additional Training Requirements For Access To High Risk Or Moderate Risk Data
Access to information classified as High Risk or Moderate Risk data as defined by the 4-OP-H-25.01 Data Security Standard requires additional training. Prior to being granted access to High Risk or Moderate Risk data, users, security personnel and administrators are required to complete additional role-based security training based on the information systems for which they are granted access. Training is based on elevated access and skill levels required to perform information duties and tasks in a manner that complies with university security and privacy requirements.
University Unit Privacy Coordinators are responsible for ensuring compliance for training requirements related to access to High Risk or Moderate Risk data for their unit. Data Custodians are responsible for identifying and ensuring unit-specific legislated or contracted privacy training on the proper handling of High Risk or Moderate Risk data for which they are responsible. This includes training for workers whose duties involve contact with High Risk and Moderate Risk information or the resources that house that information. Targeted role-based security and privacy training must be provided based on the type of information access granted, including special requirements related to GDPR, FERPA, HIPAA, PCI DSS, etc. ISPO may be able to facilitate some targeted training as requested by units.
As verification of participation, University Unit Privacy Coordinators and Data Custodians must maintain rosters of participants who have completed required training. For courses provided by ISPO, a list of participants will be provided to units. Rosters shall be made available upon request.
IT Security and Privacy Training Requirements Overview
| Role/Target Audience | Required Training | Frequency | Responsibility for Training |
| New Students - Orientation | FSU Basic Cybersecurity Awareness Training | Mandatory, one-time during Orientation | Compliance: Dean of Students Provider: ISPO |
| New Users (Staff, Faculty, OPS, Courtesy) - Onboarding | FSU Basic Cybersecurity Awareness Training | Mandatory, one-time within 30 days of hire | Compliance: CUU and Unit ISMs Provider: ISPO |
| Existing Users | FSU Basic Cybersecurity Awareness Training | Mandatory, annually | Compliance: CUU and Unit ISMs Provider: ISPO |
| Existing Users | Additional Cybersecurity Awareness Training as needed to address deficiencies (phishing, etc.) | Mandatory, as required by the CISO to maintain network access | Compliance: CUU and Unit ISMs Provider: ISPO |
| FSU employees with access to High Risk and Moderate Risk data | Data Security and Privacy Training (ISPO), Unit-specific privacy training (CUU) |
Mandatory, 1time prior to access being granted. Periodic as appropriate | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: ISPO, CUU DDDH |
| Users with access to protected health Information (Health Insurance Portability and Accountability Act, HIPAA) | HIPAA (unit specific) | Mandatory, annually | Compliance and Provider: Identified HIPAA Covered Components |
| Users with access to protected educational information (Family Educational Rights and Privacy Act of 1974, FERPA) | FERPA (unit specific) | Mandatory, annually | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: Registrar |
| Users with access to protected Payment Card Information (PCI) | PCI Credit Card Users Processing - Register: FSU PCI Training Service Provider Training for ITS Employees |
Mandatory, annually | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: Student Business Services (SBS) ITS: ISPO |
| Application developers or faculty, staff, or student developers with access to information classified as High Risk and Moderate Risk | Secure Coding and Application Development | Mandatory, 1-time prior to access being granted; Periodic as appropriate | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: ISPO or CUU |
| Consolidated University Units (CUUs) | Disaster Recovery and Business Continuity Training | Mandatory, every 3 years | Compliance: CUU DDDH Provider: ISPO |
For more information, see FSU’s Training and Outreach Program.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
