LISTSERV 15.5 - DDD-L Archives

Subscriber's Corner

Email Lists

DDD-L Archives

View:

Options:

Join or Leave DDD-L
Reply | Post New Message
Search Archives

Subject: Updates of IT data security and risk assessment standards

From: "Aust, C Elwood" <[log in to unmask]>

Reply-To: Aust, C Elwood

Date: Thu, 10 Jul 2008 08:48:29 -0400

Content-Type: text/plain

Parts/Attachments:

text/plain (80 lines)

July 10, 2008


MEMORANDUM:

TO:
Deans, Directors, and Department Chairs

FROM:
Kyle Cavanaugh, Senior Vice President for Administration; 
Marc Hoit, Interim CIO

SUBJECT:
Updates of IT data security and risk assessment standards


The purpose of this memorandum is provide the campus 
community with information related to updated Information 
Technology (IT) standards and guidelines for data security 
and risk assessment (http://www.it.ufl.edu/policies/security/).  

The new standards and guidelines have been developed in 
collaboration with the Information Technology Advisory 
Committees (ITAC), Privacy Office and the General Counsel 
and are in compliance with both recent audit recommendations 
and privacy related laws.  All University of Florida units 
should adopt plans for immediate compliance with these 
regulations.  

Data security standards identify faculty and staff roles and 
responsibilities for protecting private data.  Use limitation 
standards describe private data classifications, location 
restrictions, storage and transmission requirements, 
encryption requirements, and training requirements.  
Guidelines are offered to help users and IT workers understand 
appropriate private data protections for e-mail, instant 
messaging, Web, laptops, PDAs, CD-ROMs, thumb drives, and 
other portable devices and media.  Various data security 
training opportunities are offered by Human Resources, the 
Privacy Office and the Office of IT Security Management.  

The IT risk assessment standard was updated to require that 
at least once every five years all campus units conduct a 
comprehensive IT risk assessment and transmit a mitigation 
strategy report to the UF Information Security Manager.  
Guidelines and Web tools are provided to assist units with 
their assessments.  While IT workers will likely manage the 
assessments, it is vital that unit administration support and 
participate in the assessment process along with IT workers 
and other unit staff.  Risk management training for IT workers 
has already begun.  Units should submit their first mitigation 
strategy to the UF ISM, Kathy Bergsma (mailto:[log in to unmask], 
392-2061) by November 30, 2008.

While the standards addressed in this memo relate only to the 
use of private data on computing resources, it is expected 
that paper and other media containing private data will also 
be protected (http://privacy.ufl.edu/).   UF also expects 
similar measures will be implemented for other sensitive data 
that must also be protected.

Enforcement of these and all UF IT security regulations is 
described in the UF IT Security Charter at 
http://www.it.ufl.edu/policies/security/uf-it-sec-charter.html#enforceme
nt.  
To review changes planned for other IT security regulations, 
see http://www.it.ufl.edu/policies/security/drafts.html.

The University of Florida takes very seriously the protection 
of private data used throughout campus.  The UF Interim Chief 
Information Officer and the UF Chief Privacy Officer will 
continue to update the UF community on information technology 
standards relating to use of UF private data on computing and 
networking resources.

============================================================
NOTE: This and other DDD Memos are maintained on the WWW at:
       		http://www.admin.ufl.edu/DDD/
       (ALL ATTACHMENTS TO ORIGINAL MEMOS ARE POSTED HERE) 
============================================================

Back to: Top of Message | Previous Page | Main DDD-L Page

Permalink

LISTS.UFL.EDU