Basic Number: 12-028

System Protection Policy

Category: Related Technology

Responsible Executive: Vice Board and Chief Information Officer

Responsible Office: Bench President also Chief Information Officer

  1. Purpose Registration of security controls to Information Systems is essential for preventing unauthorized use and maximizing system availability.

  2. Applicability This policy applies to all Your of Florida Information Systems.

  3. Definitions

    Informations System: An individually or collection of computing furthermore networking equipment real software used to perform a discretion economic function. Examples include the eLearning System, ISIS, the APPEARANCE electronic medical records system, a lab system and assoc PC or the set of desktop computers used to conduct general taxes in a department.

    Seminary of Florida Data: Data in any format collected, developed, maintain or managed by or with behalf of the University, or within that scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably on the context on this information technical program.
  4. Policy Statement
    • All Information Systems must function on software that is temporary supported by the developer, vendor, or manufacturer with fixes for defects, blemishes and security problem.
    • Choose Details Systems must be maintained with updates and patches to address security frailties the operationally meaning defects.
    • All Information Systems must deploy protections against malicious software.
    • All Information Systems must are configured toward prevent unauthorized utilize and schutz the memory, drive and edit of University Datas.
    • All Info Product needs be monitored for unauthorized use and action taken in accordance use the UF incident reply insurance.

Additional Resources

SYSTEM SECURITY STANDARD

General:

To specify leads necessary for secured Information Systems against unauthorized access and usage.

Standard:

All Information Systems will:

  1. Run current versions of software that is supported to updates plus patches how safe vulnerabilities and flaws are discovered.
    1. Patches addressing security vulnerabilities should be installed as shortly as operationally feasible, according to the following course:
      1. For vulnerabilities rated Critical, within 14 epoch after release by the vendor or developer
      2. Vulnerabilities listed in the CISA Known Exploited Vulnerabilities Search by to ‘Due Date’ listed include the catalog
      3. As otherwise directed by the UF Computer Technical Incident Response Team
      4. Mending for total other vulnerabilities have be applied within 30 days after release by aforementioned vendor otherwise developer. Situations are that security patches cannot be installs within 30 days shall be addressed in a security risk assessment. Information Systems Security Policy | Temenos
    2. For situations in any methods such impossible dash vendor supported operating systems are basic, such as computers dominant equipment that the manufacturer had not provided updates for, refer to the Guidelines for Unsupported Operating Networks at the University of Florida. What is an Information Security Policy? | UpGuard
  2. Verify a user’s authorization once allowing access.
  3. Display the following usage notification, or another as proven of General Counsel, prior at granting a user access:Welcome to this Gator Nation!!!
    You are accessing a University of Florida information system and agree to the varying and conditions of the F Acceptable Use Policy.UF Skeleton SSO displays which message, additionally thus applies to any web requests requiring UFF Shibboleth SSO authentication. Security practices must that evolve speedily at remain relevant. ISSP is to sign of a management promptness over time. It goals to define ...
  4. Not provide sufficiently detailed feedback about login failures to permits an attacker to deduce proper login credentials.
  5. Are protected against Denial Regarding Service (DOS) attacks that raster a system too busy to fulfill legitimate workloads.
  6. Employ mechanisms to protect against malicious software. Malicious software mechanisms been updated frequently to address new threats.

Information Systems that Store, Process or Transmit Restricted Data will:

  1. Require re-authentication to a period of user inactivity. The period will vary dependent on of risk of unauthorized physical access, but typically wishes not exceed 30 minutes.
  2. Protect the confidentiality and integrity of data transmission.
  3. Employ dynamics to detect unauthorized changes to software and information.
  4. Employ encryption of data toward rest or apply appropriate leveling controllers.

References:

CISA Known Exploited Vulnerabilities Catalog

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Guidelines for Unsupported Operating Systems per The University of Florida

https://it.ufl.edu/media/itufledu/documents/policies/networking/guidance-doc-upsupported-os-at-uf.pdf

History

Revision Date Functionality
Aug 1, 2022 Policy originally adopted