Table of Contents

UNIVERSITY OF CENTRAL FLORIDA

ADMINISTRATIVE DATA, INFORMATION, AND COMPUTER SECURITY GUIDELINES

April 5, 2001

TABLE OF CONTENTS

2 KEY DEFINITIONS

4 STATUTORY RESPONSIBILITY

6 RISK, SENSITIVITY, AND CRITICALITY

6.1 Risk Analysis

6.2 Electronic Information Resource Sensitivity

6.2.1 Restricted data

6.2.2 Unrestricted data

6.3 Electronic Information Resource Criticality

6.3.1 Essential Electronic Information Resource

6.3.2 Required Electronic Information Resource

6.3.3 Deferrable Electronic Information Resource

6.4 Security Summary Chart

7 SECURITY RESPONSIBILITIES

7.1 University Information Resources Manager (IRM)

7.2 University Information Resources Security Manager

7.3 University Data Administrator

7.4 Information Resources Trustees

7.5 Information Resources Stewards

7.6 Information Resources Custodian

7.6.1 Application Data Administrators

7.6.2 Computer Services Security Administrator

7.6.3 Manager, Computer Operations

7.6.4 Associate Director, Administrative Systems

7.7 Departmental Security Coordinators

7.8 Authorized Users

7.9 Information Resources Security Committee

7.10 University Disaster Recovery Management Committee for Information Technology Resources

7.11 University Data Administration Committee

7.12 University Information Standards Committee

8 ACCESS AND ACCEPTABLE USE POLICY

9 LOGICAL SECURITY

9.1 Access Controls

9.1.1 Access levels

9.1.2 Access authorization process

9.1.3 Resolution of access disputes

9.1.4 Passwords

9.1.5 Allowing access

9.1.6 Remote access

9.1.7 Workarea controls

9.1.8 Multi-user computer systems

9.2 System Administration Access Controls

9.3 System and Application Software Development and Change Control

9.3.1 Authorization to change production systems

9.3.2 Documentation and logs

9.3.4 Review prior to implementation

9.4 Data Security and Integrity Controls

9.4.1 Accuracy controls

9.4.2 Separation controls

9.4.3 Data backup and retention

9.4.4 Data privacy

9.4.5 Transferring and downloading data

9.5 Communications Security Controls

9.5.1 Firewalls and external connectivity

9.5.2 Intrusion detection systems

9.5.3 Encryption

9.6 Network Security Controls

9.6.1 Hardware and wiring

9.6.2 Server backup

9.6.3 File sharing

9.6.4 Software installation

9.7 Intrusive Computer Software Controls

10 PHYSICAL SECURITY

10.1 Building Access

10.2 Workarea Access

10.3 Environmental Threats

10.4 Fire Prevention

11 MANAGERIAL SECURITY MEASURES

11.1.1 Authorized user requirements

11.1.2 Positions in sensitive locations or of special trust and responsibility

11.1.3 Security awareness and training

11.1.4 Acknowledgment of rights and responsibilities

11.2 Escalation Procedures

12 DISASTER RECOVERY AND EMERGENCY PROCEDURES

12.1 Disaster Recovery Plan

12.1.1 Personnel

12.1.2 Facilities

12.1.3 Equipment

12.2 Backup Procedures

13 AUDIT CONTROLS

14 LEGAL AND ETHICAL ISSUES

15 SYSTEMS ACQUISITION AND DISPOSITION

16 APPENDIX A: DEFINITIONS

17 APPENDIX B: USE OF INFORMATION TECHNOLOGY AND RESOURCE POLICY SUMMARY

18 APPENDIX C: INFORMATION RESOURCES TRUSTEE AND STEWARD DESIGNATION

19 APPENDIX D: APPLICATION DATA ADMINISTRATOR DESIGNATIONS

20 APPENDIX E: DEPARTMENTAL SECURITY COORDINATOR DESIGNATIONS

21 APPENDIX F: PERSONAL COMPUTING SECURITY CHECKLIST

22 APPENDIX G: DEPARTMENTAL SECURITY COORDINATOR CHECKLIST

23 APPENDIX H: SAMPLE CONFIDENTIALITY AND RESPONSIBILITY STATEMENTS

24 APPENDIX I: ACKNOWLEDGEMENTS