I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It identifies baseline security and privacy training requirements for all users, based on users’ roles, responsibilities and their access to FSU data and IT resources.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
FERPA – the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. Florida Statute 1002.22 requires FSU to protect the disclosure and access to student education records in accordance with FERPA.
FIPA – the Florida Information Protection Act (FIPA) protects the security of confidential personal information.
GDPR – the General Data Protection Regulation (GDPR) is the regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA.
HIPAA – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding patient medical information.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
PCI DSS – the Payment Card Industry Data Security Standard defines compliance requirements for any company that accepts, stores, processes, or transmits credit card information that protect the privacy and security of consumers.
Full IT Glossary
III. Standard
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
| Function | Category | Desired Outcome (Subcategory) |
| Protect (PR) |
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. | PR.AT-1: All users are informed and trained |
| PR.AT-2: Privileged users understand their roles and responsibilities | ||
| PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | ||
| PR.AT-4: Senior executives understand their roles and responsibilities | ||
| PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
For more information, see IT Roles and Responsibilities.
Cybersecurity Awareness and Training
Security and privacy training is required for all faculty, staff and students as defined by this Standard. All users are required to complete Basic Cybersecurity training. Content will include a basic understanding of the need for information security and user actions to maintain security and respond to suspected security incidents.
The CISO is responsible for supporting university-wide security and privacy awareness through training, informative websites, literature, technology forums and awareness campaigns, and other methods. Training includes Basic Cybersecurity training and other topics such as Phishing, Disaster Recovery and Business Continuity, Risk Management, Vulnerability Management, Incident Management, and other specific topics in collaboration with units.
In coordination with the CUU/University Unit Privacy Coordinator, the CUU/University Unit ISM will ensure their units comply with requirements for training as defined by this standard. ISMs and Privacy Coordinators are responsible for ensuring all unit staff with access to IT resources receive required information security and privacy training from designated providers. This includes staff augmentation resources provided by third-party contractors or other staff with courtesy appointments. Technology workers must complete security and privacy training to ensure competency in their positions, including training on the requirements of IT policies and standards. Technology workers granted administrative rights for IT resources must be properly trained and authorized based on job duties and responsibilities.
As verification of participation, University Unit ISMs and Privacy Coordinators must maintain rosters of participants who have completed required training. Rosters shall be made available upon request.
For more information, see
- https://its.fsu.edu/cybersecurity/protect-yourself
- Security Training & Outreach | Information Technology Services (fsu.edu)
Additional Training Requirements For Access To High Risk Or Moderate Risk Data
Access to information classified as High Risk or Moderate Risk data as defined by the 4-OP-H-25.01 Data Security Standard requires additional training. Prior to being granted access to High Risk or Moderate Risk data, users, security personnel and administrators are required to complete additional role-based security training based on the information systems for which they are granted access. Training is based on elevated access and skill levels required to perform information duties and tasks in a manner that complies with university security and privacy requirements.
University Unit Privacy Coordinators are responsible ensuring compliance for training requirements related to access to High Risk or Moderate Risk data for their unit. Data Custodians are responsible for identifying and ensuring unit-specific legislated or contracted privacy training on the proper handling of High Risk or Moderate Risk data for which they are responsible. This includes training for workers whose duties involve contact with High Risk and Moderate Risk information or the resources that house that information. Targeted role-based security and privacy training must be provided based on the type of information access granted, including special requirements related to GDPR, FERPA, HIPAA, PCI DSS, etc. ISPO may be able to facilitate some targeted training as requested by units.
As verification of participation, University Unit Privacy Coordinators and Data Custodians must maintain rosters of participants who have completed required training. For courses provided by ISPO, a list of participants will be provided to units. Rosters shall be made available upon request.
IT Security and Privacy Training Requirements Overview
| Role/Target Audience | Required Training | Frequency | Responsibility for Training |
| New Students - Orientation | FSU Basic Cybersecurity Awareness Training | Mandatory, one-time during Orientation | Compliance: Dean of Students Provider: ISPO |
| New Users (Staff, Faculty, OPS, Courtesy) - Onboarding | FSU Basic Cybersecurity Awareness Training | Mandatory, one-time within 30 days of hire | Compliance: CUU and Unit ISMs Provider: ISPO |
| Existing Users | FSU Basic Cybersecurity Awareness Training | Mandatory, annually | Compliance: CUU and Unit ISMs Provider: ISPO |
| FSU employees with access to High Risk and Moderate Risk data | Data Security and Privacy Training (ISPO), Unit-specific privacy training (CUU) |
Mandatory, 1time prior to access being granted. Periodic as appropriate | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: ISPO, CUU DDDH |
| Users with access to protected health Information (Health Insurance Portability and Accountability Act, HIPAA) | HIPAA (unit specific) | Mandatory, annually | Compliance and Provider: Identified HIPAA Covered Components |
| Users with access to protected educational information (Family Educational Rights and Privacy Act of 1974, FERPA) | FERPA (unit specific) | Mandatory, annually | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: Registrar |
| Users with access to protected Payment Card Information (PCI) | PCI Credit Card Users Processing - Register: FSU PCI Training Service Provider Training for ITS Employees |
Mandatory, annually | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: Student Business Services (SBS) ITS: ISPO |
| Application developers or faculty, staff, or student developers with access to information classified as High Risk and Moderate Risk | Secure Coding and Application Development | Mandatory, 1-time prior to access being granted; Periodic as appropriate | Compliance: CUU and Unit Privacy Coordinators, Data Custodian Provider: ISPO or CUU |
| Consolidated University Units (CUUs) | Disaster Recovery and Business Continuity Training | Mandatory, every 3 years | Compliance: CUU DDDH Provider: ISPO |
For more information, see FSU’s Training and Outreach Program.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
