All UCF policies are reviewed annually by policy owners and every five years by the University Policies and Procedures Committee. From these reviews come updates, as needed, to ensure our policies incorporate current, meaningful language that protects our university community. Please note the following revised and new policy highlights:
UCF Policy 4-002 Use of Information Technologies and Resources
This policy received several changes, updates, and some restructuring. One change, worth noting, is that “Users with access to university information systems must complete an online Security Awareness Training course every 12 months….”
Another recent change includes “Users with access to university information systems may be required to complete supplemental role-based training…depending on job role and/or prior to gaining access to information systems containing certain types of data, such as FERPA, HIPAA, CUI, etc.…”
Also, “Users may receive simulated phishing messages as part of authorized internal simulated phishing campaigns” and “Users may lose access to university systems if they do not complete annual training, or any other assigned training as required.”
UCF Policy 4-008 Data Classification and Protection
This policy also received several changes, updates, and some restructuring. One important update includes “…all members of the university community to immediately report confirmed or suspected data security incidents to the Security Incident Response Team (SIRT). Data considered to be Highly Restricted Data or Restricted Data may require a heightened response and reporting obligations.”
The handling of Highly Restricted and Restricted Data has been expanded on and clarified, plus we’ve added a section on Physical Data Protection that covers the maintaining of a Clean Desk Area and therefore “…keep(ing) your environment secure when you are away from your desk or office.” There are lots of ways to protect university-related data, including personal information, listed within.
Also, a new section, titled Requests for Data, explains the importance of routing all requests from federal or state agencies for access to university, state, or federal data to the Office of the General Counsel.
UCF Policy 4-015 Information Security Incident Response – New!
This is a brand-new policy for UCF and stipulates appropriate reporting procedures/requirements that alert our Security Incident Response Team (SIRT) of security incidents and events. This policy also provides authority to SIRT/InfoSec to take necessary actions to respond to and mitigate security incidents.
Incident severity drives actions taken by SIRT to keep our University, its data, and our community safe.
Check out each policy for more information!