I. General Information
Electronic information resources and information technology resources, including data, applications, systems, hardware, networks, and software, are vital assets of the University of Central Florida (UCF). Any person or organization that uses or provides electronic information resources has a responsibility to maintain and safeguard these assets. Because computing systems and networks are shared facilities, their misuse can affect others. Each individual student, staff, and faculty member in the UCF community is expected to use these shared assets with consideration for others. Individuals are also expected to be informed and responsible for protecting their own electronic information resources in any environment, shared or stand-alone. It is unacceptable for anyone to use electronic information resources to violate any law or University policy or perform unethical academic or business acts. See UCF Administrative Procedure no. 2018, Use of Information Technology Resources (http://ucf.edu/rule.html).

Information resources and computer assets are at risk from potential threats such as employee error or other accidents, system failures, natural disasters, and criminal or malicious acts. Such events could result in damage to or loss of electronic information resources, loss of data accuracy or integrity, or interruption of normal data processing.

This Administrative Data, Information and Computer Security Policy assigns the responsibility for reduction of risks to electronic information resources through adoption of preventive measures and controls designed to detect any errors or irregularities that may occur. The University's goals for risk reduction are based on the principle that the level and type of security should reflect an assessment of the criticality of an Electronic Information Resource to the operation of the University, the sensitivity of the data residing in or accessible through the Electronic Information Resource, the cost of preventive measures and controls designed to detect errors or irregularities, and the level of risk that University management is willing to accept. Further information concerning the security procedures and practices may be found in the Administrative Data, Information, and Computer Security Guidelines document (http://ucf.edu/ADICSG.html).

II: Statutory Responsibility
Section 282.318, Florida Statutes, the "Security of Data and Information Technology Resources Act," requires an adequate level of security for all governmental data and information technology resources within the State University System (SUS). The Executive Office of the Governor pursuant to Section 120.52(15)(c) 4., F.S. has promulgated an Information Resource Security policy (1998-01) that provides basic guidance for this Policy.

Chancellor's memorandum: CM-E-11.00 - 01/01 addresses the security of data and information technologies in the State University System and establishes the policy for assuring an adequate level of security for data and information technology resources within the SUS. The Board of Regents Information Resource Management Office (BOR/IRM) has published the Security of Information document that supports this policy.
In compliance with requirements of the above directives and guidelines, this policy contains the internal policies and procedures that are necessary to assure the security of administrative data and information technology resources at UCF.

III. SECURITY RESPONSIBILITIES
UCF retains the exclusive right and use of all information technology resource assets, including data. In this context, UCF is considered the legal owner of all University data. Sound business practices hold the owner of computer assets responsible for their control. The President of UCF delegates Data Trustee responsibility to specific university administrative officers as described in this section. The overall relationship among the responsible individuals is illustrated in Figure 1.

Figure 1. UCF security responsibility relationships

University Information Resources Manager (IRM)
The Vice Provost for Information Technologies and Resources is designated as the University's Information Resources Manager (IRM) and Chief Information Officer (CIO), with overall responsibility for institutional information technology resources.

University Information Resources Security Manager
The University Information Resources Security Manager (IRSM) is appointed by the University Information Resources Manager to administer the University data and information security program. The IRSM shall

· Develop, update, and maintain written internal policies and procedures to assure the security of the data and information technology resources,
· Update a comprehensive risk analysis to determine the security threats to the data and information technology resources,
· Prepare the University Information Resource (IR) risk analysis (with the IR Stewards),
· Ensure that all information resources and functions identified as critical to the continuity of operations have a written and cost-effective contingency plan that will provide for the prompt and effective continuation of critical missions in the event of a disaster, and
· Manage the information resources security awareness and training programs for the University.

University Data Administrator
The University Data Administrator (UDA) is an officer within the University given the specific responsibility for collection and dissemination of official University data. The Director of Institutional Research is the University Data Administrator for UCF. The UDA in conjunction with the Information Resources Trustees and the Information Resources Stewards shall

· Coordinate the creation and definition of new data elements
· Evaluate and grant approval for access to all University systems
· Coordinate resolution of access or data element disputes, and
· Maintain the data dictionary for the University
· Authorize access to core administrative systems
· Chair the University Data Administration Committee
· Co-chair the University Information Standards Committee

Information Resources Trustees
Information Resources Trustees are administrative officers within the University who are given specific responsibility for managing information resources used in conducting University business. Each Trustee, subject to appropriate management review, shall

· determine the level of security required for access controls, based on the sensitivity of the Electronic Information Resource,
· determine the level of criticality of an Electronic Information Resource, subject to appropriate management review,
· determine the appropriate method for providing business continuity for Electronic Information Resources deemed Essential (e.g., performing Disaster Recovery at an alternate site, performing equivalent manual procedures), and
· specify adequate data retention procedures for Electronic Information Resources.

The President of UCF has delegated the following officers as Information Resources Trustees and delegated responsibility to them for implementing appropriate security measures for designated for each Data Subset designated in figure 2.

· Provost and Vice President for Academic Affairs.
· Vice President for Research.
· Vice President for Administration and Finance.
· Vice President for Development/Alumni Affairs.
· Vice President for Student Development and Enrollment Services.
· Vice Provost for Information Technologies and Resources.
· Vice Provost and Dean of Graduate Studies.

Information Resources Stewards
Information Resources Stewards are identified by an Information Resources Trustee to manage a subset of data within a central administrative office or academic department. The designated Electronic Information Resources Steward is the person primarily responsible for the accuracy, privacy, and integrity of a university data subset. All university data must have an identified Steward. See figure 2 for major designations.

Information Resources Stewards shall

· assist the UDA in determining the degree of access (interactive query only, interactive update, downloading of specific data) to be granted to users,
· assure compliance with access security standards
· understand the content of their data subset and how its elements functionally or logically interrelate,
· communicate data definitions (data dictionary) to users granted access to departmental data, and
· provide guidance and assistance in appropriate interpretation of their data subset.

Information Resources Custodian
The Director of Computer Services and Telecommunications is the Information Resources Custodian and has responsibility for the management of access to data in accordance with established policies and procedures. The Information Resources Custodian shall not dictate usage of University data, nor determine individual access rights to elements, records, or files. The Information Resources Custodian shall

· implement security measures in the University Data Center,
· ensuring that data retention requirements are met for Electronic Information Resources consisting of applications or data,
· manage all changes to core administrative information resources applications,
· document all changes to production systems,
· ensure separation of duties for restricted or essential electronic information resources, and
· be responsible for Disaster Recovery preparation and general oversight of the performance of Disaster Recovery in the event of a disaster in the UDC.
· chairs the University Disaster Management committee for Information Technology Resources,
· co-chairs the University Information Standards committee.

Departmental Security Coordinators
Each department or major organizational unit shall designate a Departmental Security Coordinator (DSC). The DSCs shall

· communicate and coordinate access to administrative systems for employees in their departments,
· coordinate the use and management of computer resources in their department,
· develop review mechanisms to verify the type of remote access means used by employees and determine whether particular access limitations should be imposed,

Authorized Users
An Authorized User is a University employee, student or other individual affiliated with the University who has been granted authorization by the UDA, after coordination with Information stewards to accesses an Electronic Information Resource for the purpose of performing his or her job duties or other functions directly related to his or her affiliation with the University. The authorization granted is for a specific level of access to the Electronic Information Resource as designated by the Information Resources Steward and the UDA (read only, create, delete, or modify.) Departments may require employees to sign Confidentiality and Responsibility forms with regard to accessing and handling administrative data and information.

It is a violation of this University Policy for any individual to attempt to gain unauthorized access to any Electronic Information Resources or in any way damage, alter, or disrupt the operations of these Electronic Information Resources or release unauthorized information. It is also a violation of this Policy for any individual to capture or otherwise obtain or tamper with passwords, encryption keys, or any other access control mechanism that could permit unauthorized access, except where expressly required in the performance of their duties. Among possible disciplinary actions, Information Resources Trustees may withdraw the privileges of any Authorized User who violates this Policy if, in their opinion, continuation of such privileges threatens the security (including integrity, privacy and availability) of an Electronic Information Resource.

Each Authorized User shall have a unique UserId that is assigned by Computer Services for NWRDC or UDC access. Passwords shall be kept confidential and protected at all times. When an Authorized User transfers from one department to another, the new department must request a new UserId for the Authorized User to provide access to any administrative computer systems. The former department shall notify Computer Services to deactivate any old UserIds. When an Authorized User leaves the University, the UserId shall be deactivated but maintained in the security system for historical and audit purposes. Passwords to data that is Essential or Restricted shall not be shared. When there is a need for shared passwords, specific accounts shall be set up for that purpose.

Authorized Users are be responsible to ensure all physical security measures are taken when leaving work areas containing access to hardware and storage (diskettes, disks, tapes), computer networks or hardcopy listings.

Information Resources Security Committee
The Information Resources Security Committee is responsible for overseeing the protection of administrative information resources while maintaining the individual rights of employees and setting priorities for security plans. The Information Resources Security Manager chairs the Committee that includes a representative for each Information Resources Trustee. The Information Resources Security Committee has primary responsibility for the Administrative Data, Information, and Computer Security Guidelines.

University Disaster Recovery Management Committee for Information Technology Resources
The University Disaster Recovery Management Committee for Information Technology Resources is responsible for overseeing Disaster Recovery preparation and general oversight of the performance of Disaster Recovery in the event of a disaster. The Information Resources Custodian chairs the Committee that includes a representative for each Information Resources Trustee.

University Data Administration Committee
The University Data Administration Committee is to serve the administrative, academic and research functions of the University by developing policies, procedures, and systems necessary to safely and securely manage and provide access to institutional data. The Committee will foster an environment in which institutional data are regarded as a strategic asset that serves not only the operational needs of the institution, but also reporting and decision-making. Representatives will be appointed by the UDA.

University Information Standards Committee
The University Information Standards Committee will assist in defining information and data definitions, and implementation procedures for new information systems with regard to use of data elements. Representatives will be appointed by the UDA and Information Resources Custodian.

INFORMATION RESOURCES TRUSTEE AND STEWARD DESIGNATIONS

Figure 2

IV. Definition of Terms
Access Capability: Authority granted to an individual that allows access to data residing in a computer system file. Access capability is generally managed through assignments of a UserId and password.
Administrative Data: Any data related to the administration of the University of Central Florida. This includes data that are used by both the central administration and the administrative units of the colleges, schools and departments.
Administrative Systems and Applications: Any computer system or application programming that supports administrative activities of the university. This includes systems or applications supporting both the central administration and the administrative units of the various colleges, schools and departments.
Business Continuity Plan: A plan for the continued operation of critical business function the case of a disaster affecting normal functioning. A Business Continuity Plan is more inclusive than a Disaster Recovery Plan, which normally relates to information systems only.
Data: A representation of facts, images and or concepts organized in a manner such that they may be stored, communicated, interpreted, processed or retrieved by automated means.
Data Integrity: The state that exists when computerized information is predictably related to its source and has been subjected to only those processes which have been authorized by the appropriate personnel.
Disaster: Any event or occurrence that prevents the normal operation of Electronic Information Resource(s) for a period of time, such that the resulting disruption and or losses exceed acceptable limits. A disaster may occur as a result of a natural disaster (such as a flood, fire or earthquake), employee error or other accidents, long-term system failures, and criminal or malicious action.
Disaster Recovery Plan: A written plan including provisions for implementing and running Essential Electronic Information Resources at an alternate site or provisions for equivalent alternate processing (possibly manual) in the event of a disaster.
Electronic Information Resource: A resource used in support of University business processes that involves the electronic storage, processing or transmitting of data, as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, data - in raw, summary, and interpreted form - and associated computer server, desktop, communications and other hardware used in support of University business administration.
Information Technology Resources: Data processing hardware, software and services, documentation, supplies, personnel, facility resources, maintenance, training, or other related resources including telecommunications.
Risk Analysis: A comprehensive evaluation conducted to determine the level of security that is required for data and information technology resources. Risk analysis estimates potential losses that may result from threats and their likelihood of occurrence.
Security: Measures taken to reduce the risk of unauthorized access to Electronic Information Resources, via either logical, physical or managerial means; and damage to or loss of Electronic Information Resources through any type of disaster (such as employee error or other accidents, long-term system failures, natural disasters, and criminal or malicious action).
Sensitive/Confidential Information: Information that is confidential by law; information that requires protection from unauthorized access by virtue of its legal exemption from the Public Records Act.
University Data Center: The University Data Center (UDC) operated by Computer Services.
UserId: Character string that identifies an individual to a computer system, enabling access and/or update capabilities.