Data Security
Procedures & Standards
This page contains procedures and standards to be used by all machines connecting to the usf.edu domain, as well as the personnel who use and administer them. The procedures are reviewed annually by the Office of Information Security. Material changes are also reviewed by University Audit and Compliance and the Office of General Counsel. Compliance to the standards posted in this section is required.
This document offers guidelines for the classification of electronic resources within the °®°®Ö±²¥ according to their level of criticality and sensitivity.
Document Outlines steps taken during incidents involving data security at °®°®Ö±²¥.
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents.
°®°®Ö±²¥ must take immediate action to mitigate any threats that have the potential to pose a serious risk to the campus network, campus computers or the Internet. This document outlines situations in which machines connected to the °®°®Ö±²¥ network would
have access suspended.
All computers connected to the network must be appropriately protected. Computers used at °®°®Ö±²¥ which contain information considered sensitive require additional measures of protection. This document outlines the recommended steps local administrators must
take during the initial setup and ongoing maintenance of such computers.
This document covers some general wireless network installation guidelines that must be followed to ensure °®°®Ö±²¥'s campus-wide wireless offerings are compatible, provide mobility between locations, and prevent unauthorized access. Note: Please read this
document carefully. Any unauthorized wireless router found on our network will have its connection turned off immediately.
Sensitive data, such as proprietary information and student information, may reside on various types of media throughout the University. Due to technological advancements, simple deletion or formatting does not provide enough protection of sensitive data.
Deleted files usually will remain on the media for long periods of time, and many software tools are now available to recover such data. Once destroyed in the manner described, these files cannot be recovered. °®°®Ö±²¥ and/or the ISW are not responsible for unwanted effects the use of this software may cause. Do not use the methods described unless you are certain the data will no longer be needed.
The °®°®Ö±²¥ will no longer use nor permit the use of a Social Security Number (SSN) as an identifier for a person in any °®°®Ö±²¥ information system unless the use of the SSN is imperative for the performance of the °®°®Ö±²¥'s duties and responsibilities as prescribed by law.
In order to improve the security posture of the servers part of the IT SVC Data Center and Winter Haven Data Center, the IT's Office of Information Security, in conjunction with Communications Infrastructure and the Data Center Infrastructure group have established a set of network procedures to be followed when setting up a server.
Vendor will complete this questionnaire.
This document defines a consistent approach to manage changes to the IT environment at °®°®Ö±²¥ andalso outlines the procedure for request, approval, implementation, and review of direct SQL updates to OASIS (Banner), GEMS, and FAST (Peoplesoft) databases.
The document lists the primary affiliations a person may have at °®°®Ö±²¥, which major services someone with each primary affiliation is eligible for, and what happens with each service once the person no longer has an eligible primary affiliation.
This document outlines how to differentiate standard purchases from those requiring special approval.
This document compiles information for the system security, expectations and responsibilities by area for projects identified by the °®°®Ö±²¥ Export Control Office to require such documentation.
The purpose of this standard is to define and document the procedures to facilitate the implementation and management of physical and environmental controls in the Data Centers at the °®°®Ö±²¥, in compliance with the requirements put forth by NIST 800-53 and the NIST Cybersecurity Framework.
This document outlines awareness-raising methods for personnel to understand the importance of information security management and their contribution to the °®°®Ö±²¥ accept policies and plans, and understand the consequences of breaching the information security rules.
The collection, storage and analysis of logs is a critical information security and compliance control. Deficiencies in security logging and analysis may allow attackers to hide their location, malicious software, and malicious activities on compromised machines. Even with the knowledge that systems have been compromised, without protected and complete logging records, security professionals are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit log management, an attack may go unnoticed indefinitely and the damage done may be irreversible.