IT Security and Privacy Standards
The following Standards establish security and privacy requirements and best practices that support and supplement FSU Technology Policies. These requirements and best practices are necessary to protect the confidentiality, integrity, and availability of FSU’s Information Technology (IT) assets. They establish minimum controls to protect IT assets from unauthorized access, loss, alteration, damage and other threats or attacks that could cause harm to the university or to members of the university community.
- Data Security Standard
This standard defines security and privacy requirements for implementing controls that will protect the confidentiality, integrity, and availability of FSU information. Institutional Information will be inventoried, classified, and managed based on the level of sensitivity, criticality, and potential for misuse of the information. This standard applies to all data accessed, collected, stored, processed, or transmitted by users.
- Information Privacy Standard
This standard establishes a university-wide privacy program that respects and protects the privacy of its students, alumni, faculty and staff, and safeguards information resources from loss, misuse, and unauthorized access or modification. Data must be safeguarded to maintain privacy levels based on Data Classification.
- IT Security Configuration Management Standard
This standard establishes requirements for implementing and maintaining secure configurations for IT Assets in order to minimize operational malfunctions, intrusions by external threats, exploitation of vulnerabilities, unauthorized data disclosures and performance problems.
- IT Network Security Standard
The purpose of this standard is to monitor and protect the university’s IT networks and its associated systems, services, and applications from abuse, attacks, and inappropriate use.
- BYOD (Bring Your Own Device) Standard
This standard establishes requirements for the use of personally owned devices that connect to FSU technology resources and/or data, conduct FSU business, or interact with internal networks and business systems. Devices include, but are not limited to smartphones, tablets, laptops, notebooks, etc.
- IT Security and Privacy Training Standard
This standard identifies baseline IT training requirements for all users, based on users’ roles, responsibilities and their access to FSU data and IT resources.
- IT Access, Authorization and Authentication Standard
This standard defines Identity Management and Access Controls that protect IT resources from unauthorized use. This standard applies to processes and procedures implemented to protect data and access to devices, systems, services, and applications, including accounts with privileged access, whether provisioned locally or at the enterprise-level.
- IT Physical Security Standard
This standard defines the requirements for protecting all campus facilities that maintain university information resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, interruption, or unauthorized access to those resources.
- IT Vulnerability Management Standard
This standard establishes a framework for identifying, assessing, and remediating IT vulnerabilities on devices connected to FSU networks and the requirements for compliance. Vulnerabilities within networks, software applications, and operating systems, often as a result of server or software misconfigurations, improper file settings, or outdated software versions, are a significant threat to the network and other IT resources.
- IT Log Collection, Analysis, and Retention Standard
System and application log data is a critical component in detecting, analyzing, preventing, and responding to potential information security incidents including unauthorized data disclosures and activities related to FSU systems. Log data must be generated, stored, and analyzed to ensure the security and privacy of information.
- IT Incident Response Standard
Security incidents can occur when an FSU student, staff, contractor, or faculty member violates FSU security and privacy policies and standards, specific legal requirements, or contractual obligations. Malicious outside entities may also attempt to comprise systems. A prompt, effective response to a security breach may help minimize loss of information and disruption of services caused by incidents. This standard defines the requirements for detecting, analyzing, prioritizing, and handling Information Security Incidents.
- IT Disaster Recovery Planning Standard
This standard defines the requirements for IT Disaster Recovery planning to facilitate the timely recovery and restoration of FSU’s IT systems that support access to critical business functions and data.
- Third-Party Vendor Management Standard
This standard defines the requirements necessary to ensure contracts and agreements with third parties involving IT resources, cloud or other outsourced service guarantee compliance with FSU security policies and standards.
- Encryption Standard
This standard defines requirements for the use of encryption technologies to protect FSU data and resources. Encryption is the process of encoding messages or information in order to protect data or communication and can be applied to data that is stored (at rest) or transmitted (in transit) over networks.
- IT Data Disposal and Media Sanitization Standard
This standard defines the requirements for proper disposal of electronic data and media. If not properly purged from storage media, data could be reconstructed or retrieved. Storage media must be appropriately sanitized to prevent unauthorized access to, or disclosure of, institutional information.
- IT Application Secure Coding Standard
This standard ensures that IT applications developed or administered by FSU reflect secure coding practices that reduce the likelihood of unauthorized disclosure or theft of sensitive institutional information and ensure the ongoing availability of critical university resources.
- IT Enterprise Integration Security Standard
This standard provides requirements for integration with IT enterprise systems that will minimize the vulnerability of enterprise systems to external attacks, unauthorized disclosure of sensitive information and unauthorized access to administrative interfaces or system configurations.
- Risk Management Standard
This standard establishes requirements for risk management through security assessment and planning. Risk assessments and associated risk mitigation are required by regulations with which the university must comply, including, but not limited to, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS).
- IT Roles and Responsibilities
This standard defines key roles and responsibilities related to IT Security and Privacy Polices and Standards.
- Request for Exception to IT Security Policy
- IT Glossary