MENU
L3Harris Commons

Information Security Policy

Applies to:Original Policy Date:Date of Last Review:Approved by:
Florida Tech Campus August 2024 August 2024 Dr. John Nicklow, President

Policy Owner: Information Security Officer (ISO)

Policy Purpose

The purpose of this policy is to establish the responsibilities and expectations for safeguarding the Florida Institute of Technology (Florida Tech)'s data and Information Technology (IT) assets. This policy aims to ensure compliance with state and federal laws, enhance operational efficiency, and mitigate risks associated with information security.

Policy Scope

This policy applies to all individuals accessing university data or IT assets, including but not limited to students, faculty, staff, contractors, clients, consultants, invited guests, and others working at or for the university. It covers all university sites and modalities and extends to personal devices that access university data or IT assets.

Policy Statement

Florida Tech is dedicated to maintaining a secure computing environment. The University’s Information Security Officer (ISO) is authorized to administer the university-wide Information Security Program, which includes developing and disseminating security protocols, and coordinating all security incident responses. All users and managers of university data and IT assets are required to adhere to the Information Security Program.

Interference with or circumvention of security measures is strictly prohibited and may lead to investigation and disciplinary action.

Procedures/Guidelines

  1. Information Security Program Development and Maintenance:
    • The ISO will develop and maintain the Information Security Program, focusing on significant threats to university data and IT assets, while considering the impact on university operations.
  2. Security Incident Response:
    • The ISO will develop, implement, and maintain the Security Incident Response Procedure, excluding internal details due to the sensitive nature of incident response practices.
  3. Protective Actions:
    • The ISO is authorized to take necessary actions to protect users, data, and IT assets, including interrupting access until a threat or vulnerability is resolved.
  4. User Responsibilities:
    • Users must protect university data and IT assets according to ISO instructions, published in the Florida Tech Information Security Program.
    • Users must cease using an IT asset if they suspect a compromise and report the incident to the ISO or the university’s IT Service Desk.

Definitions

  • University Information Technology (IT) Asset: Any technology, software, or device that stores, transmits, or processes university data. This includes personal devices accessing university data or IT assets.
  • User: Any person accessing university data or IT assets, including students, faculty, staff, contractors, clients, consultants, invited guests, and others working at or for the university.

Compliance Reference

This policy is essential for ensuring compliance with a range of legal, regulatory, and accreditation requirements. These include, but are not limited to:

  • Family Educational Rights and Privacy Act (FERPA): Ensuring the protection of students' educational records and personally identifiable information.
  • Health Insurance Portability and Accountability Act (HIPAA): Protecting the confidentiality and security of health-related information.
  • Gramm-Leach-Bliley Act (GLBA): Mandating the protection of personal financial information.
  • Payment Card Industry Data Security Standard (PCI DSS): Ensuring the secure handling of cardholder information to reduce credit card fraud.

Responsibilities

  • ISO: Responsible for developing, maintaining, and enforcing the Information Security Program and Security Incident Response Procedure.
  • Users: Responsible for adhering to the Information Security Program and reporting any suspected compromises.

Enforcement

Violations of this policy may result in investigation and disciplinary action, including but not limited to restriction or revocation of access to university IT assets and other penalties as determined by university policy.

Edit Page