About Us Staff, Mission, Goals, Contact Info...		Services Project Request, Support Agreement...		Forms / Checklists Account, Entrance, Exit...
Software Licenses MSDNAA, Microsoft, Labview, Novell...		Resources Training, Web, Email, FAQ, DNS...		Security Policy, Unit ISM List...

MIS / Security / Policy / COE Information Technology Security Policy

I. Scope of this Policy

This document establishes high-level policies intended to insure the integrity, availability, and confidentiality of the Local Area Networks within the College of Engineering; IT devices controlled by the college; and information stored or manipulated by those networks and devices.

Procedures intended to implement these policies are described in the College of Engineering Information Technology Security Plan [to be written].

All units within the College of Engineering must comply with the requirements of this policy, as well as other documents that may be published by the college to facilitate implementation of this policy.

II. Background Information

The College of Engineering IT infrastructure includes the local area networks of twelve academic departments and their subsidiary units; a number of research centers; the college administration; several service units; and off-campus units with specific missions. IT operational support for the college administration and affiliated service units is provided by the college's Management Information Systems group. Departments and other units not in the college administration arrange for their own operational support.

Under this policy, the college provides an IT Security Manager (ISM) who coordinates security activities within the college with the University of Florida's IT Security Manager. The college ISM also provides IT security support for individual units within the college. Departments and other department-level units within the college each provide an IT Security Manager to coordinate activities with the College ISM.

III. Responsible Personnel

1. Implementation

   Implementation of this policy is the responsibility of all IT staff in the college, as defined by the University of Florida Information Technology Security Policy.

2. College ISM

   The Dean of the College of Engineering will appoint an IT Security Manager to fulfill, for all units within the college, the functions defined for the position by the University of Florida Information Technology Security Policy. All units within the college will be represented by the college ISM.

3. College IT Security Officer

   The Dean of the College of Engineering will appoint an IT Security Officer who will oversee the work of the college ISM. The IT Security Officer will be responsible for establishing official goals and policy to be implemented by the ISM.

4. Unit ISM

   Each Unit in the College of Engineering must appoint a Unit IT Security Manager (ISM), who is responsible for coordinating with the college ISM and supervising implementation of IT security policy and plans.

   The College recommends that whenever feasible, each unit appoint both a unit ISM, and an IT Security Officer (or committee) to provide oversight and guidance to the unit ISM. This practice reduces the likelihood of serious omission in security planning and implementation. It also helps mitigate the conflict of interest that develops in the typical situation in which the unit ISM is the unit's Network Administrator, and is thus responsible both for maximizing user access to the network, and implementing security measures which may inconvenience users.

IV. Unit Policies and Plans

Each administrative unit within the college must develop an IT security policy, and supporting plans, and other documents required to ensure implementation of their policy. Each unit policy must address any security issues specific to the unit not adequately addressed by the UF IT Security Policy, the college policy, and associated plans, procedures, and guidelines.

The college will publish guidelines and requirements for development of unit policies and plans.

Each unit may elect to develop multiple policies that apply to different subunits within the unit, rather than a single policy for the entire unit. No unit may establish policy that is independent of policy published by a parent unit.

V. Scope of Authority

The scope of authority for any unit's IT security policy or plan is the network address space assigned to the unit; any equipment owned by the unit; and any information directly controlled by the unit. Ultimate authority for the security of address space belongs with the unit to which that address space is assigned (provided that the unit complies with college and university requirements); units using the address space of another unit must comply with the security policies of the hosting unit unless the hosting unit explicity agrees to transfer security authority for the address space.

No computer or other device may be connected to a college network unless it is under the authority of a published unit policy.

VI. Critical Resources, Sensitive Resources

1. Mission-critical Resources

   Any resource which will significantly impair the operation of a unit if the resource is unavailable for an extended time should be given special consideration in the unit's IT security planning. Each such resource should be considered for official declaration as a "Critical IT Resource" as defined by the University of Florida's IT Security Policy.

2. E-Commerce Security

   Any server engaged in accepting monetary payment via the Internet must document and implement security procedures that address the specific security requirements of any associated credit card vendor or other financial services vendor, as well as any additional security measures appropriate to the function of the server and the data it handles.

3. Server Security

   College and unit planning must specifically address management and security of any servers operated on the College of Engineering networks, including (but not limited to) mail, WWW, FTP, SSH, telnet, and file servers. This requirement applies to servers operated by individuals as well as to servers operated by a unit or groups within the unit, and includes peer-to-peer networking services such as Gnutella or KaZaA.

VII. Effective Date, Revision Schedule

All units within the college must comply with this policy by January 1, 2003.

The college IT Security Officer will be responsible for conducting an annual review of this policy and making recommendations for updates and improvements.

VIII. Glossary

CoE	College of Engineering.
E-Commerce	Electronic Commerce, defined for the purposes of this document as any activity which accepts monetary payment via the Internet.
Network Address Space	Range of network addresses assigned to an entity, or (depending on context), the set of all possible network addresses. Network address space can be defined by IP number ranges, Netware addresses, or other network address system, as appropriate to the technology in use.
ISM	IT Security Manager, the individual assigned to monitor and coordinate IT security practices within a unit.
IT	Information Technology.
LAN	Local Area Network.
Server	Any computer or other device that provides one or more services to other systems that connect to it via the college network. "Services" can include SMTP, FTP, SSH, telnet, Windows file sharing, peer-to-peer sharing such as Gnutella or KaZaA, and any other service in which connections are initiated by other systems. The general distinction between servers and clients is that connections are initiated by clients, and accepted by servers, and is not dependent on the direction of information flow. It is possible for a system to be both a server and a client.
Unit	An administrative unit of the University. May be a Department, Center, or other distinct unit.