Healthcare Information Security Policies

These policies apply only the healthcare components of the university, and were formerly referred to as the SPICE (Security Program for the Information Computing Environment) Program As new university-wide policies are approved, they will supersede the corresponding SPICE policy.


General Provisions

Policy ID Policy Version
GP0001 Applicable Information Security Regulations, Laws, Policies Information on Federal and State laws, UF policies and others that protect information and supercede or work together with the HSC policies.
This policy has been deprecated and is preserved here for historical purposes.
09/02/2009
GP0002 Information Security Program Compliance A basic statement of required compliance to the Information Security Program policies.
This policy has been deprecated and is preserved here for historical purposes.
09/02/2009
GP0003 Information Security General Provisions To delineate the general provisions of information security.
This policy has been deprecated and is preserved here for historical purposes.
09/02/2009
GP0003.02 Information Classification Standard
This standard has been replaced by the UF Data Classification Policy and is preserved here for historical purposes.
09/02/2009
GP0003.04 Information Security Program Definitions
This standard has been replaced by the UF Information Security Definition of Terms and is preserved here for historical purposes.
09/02/2009
GP0003.06 Information Security Violation Levels 09/02/2009
GP0003.08 Report Distribution and Submission Deadlines
This standard has been deprecated and is preserved here for historical purposes.
09/02/2009
GP0004 Information Security Considerations Re: Termination Security procedures when an employee or business partner is separated or changes association with the University. 2/1/2017
GP0005 Security Education and Awareness Training requirements for all users. 2/1/2017
GP0005.02 Security Education and Awareness Standard 2/1/2017
GP0006 UF HSC Information Security Program Responsibility Delineates the responsibility for the UF HSC Information Security Program, the Program review periods, and the retention requirements.
This policy has been replaced by UF Regulation UF-1.0102 Policies on Information Technology and Security and is preserved here for historical purposes.
09/02/2009
GP0007 Policy and Standards Authority Determines who has authority to implement security policy as well as procedures for granting exceptions.
This policy has been replaced by IT Policy and Standard Life Cycle and is preserved here for historical purposes.
09/02/2009
GP0007.01 Obtaining Approval Standard
This standard has been replaced by IT Policy and Standard Life Cycle and is preserved here for historical purposes.
09/02/2009
GP0007.02 Requirements for Exceptions Standard
This standard has been deprecated and is preserved here for historical purposes.
09/02/2009
GP0008 HSC Risk Assessment for Information Assets Responsibility for information security assessment within the HSC.
This policy has been replaced by UF Risk Assessment Policy and is preserved here for historical purposes.
09/02/2009

Read more »


Contingency Planning

Policy ID Policy Version
CP0001 Maintaining Information Security During a Disaster How to treat information assets and systems in the case of an emergency or other event which compromises or damages systems. 02/1/2017
CP0002 Contingency Plan Requirements for a plan departments must make ready in case of a disaster event as described in CP0001. 02/1/2017
CP0002.02 Risk Assessment - Mission Crucial Systems
This standard has been replaced by the UF Risk Management Policy and is preserved here only for historical purposes.
02/22/2010
CP0002.04 Contingency Planning Template 02/1/2017
CP0003 System Backups - Electronic Data
This standard has been replaced by the UF Backup and Recovery Policy and is preserved here only for historical purposes.
11/05/2004

Read more »


Incident Response

Policy ID Policy Version
This policy and associated standards will soon be replaced with a UF policy that is pending approval.
IR0001 Security Incident Response Team Charter Operation of the UF HSC Security Incident Response Team, which purposes to track down incidents and restore proper functionality and security to affected information. 02/22/2010
IR0001.02 Information Security Incident Classification Matrix Requirements for a plan departments must make ready in case of a disaster event as described in CP0001. 02/22/2010
IR0001.04 Security Incident Response Team Sequence of Actions 02/22/2010
IR0001.06 Information Security Incident Notification Schedule 02/22/2010

Read more »


Physical Security

Policy ID Policy Version
This policy and associated standards will soon be replaced with a UF policy that is pending approval.
PS0001 Physical Security of HSC Facilities Lists offices responsible for establishing physical security requirements at various HSC facilities. 02/22/2010
PS0001.02 Physical Security of HSC Facilities Standard 02/22/2010
PS0002 Physical Security of Information Assets and Related Facilities Responsibility for implementing physical security in the various units of the Health Science Center. 02/22/2010
PS0002.02 Physical Security of Server Rooms 02/22/2010
PS0002.04 Physical Security of Communications Closets 02/22/2010
PS0003 Device and Media Controls Sets both usage policy and responsibility for use of any equipment (including workstations) or media that holds restricted or sensitive information . 02/22/2010
PS0003.02 Device And Media Controls Standard 02/22/2010
PS0004 Physical Security and Usage of End-User Computing Devices Responsibility of implementing and maintaining basic physical security of all devices. Applies to all HSC users and rooms containing Information Assets. 02/22/2010
PS0004.02 Physical Security of End-User Computing Devices Standard 02/22/2010
PS0004.04 Physical Security and Usage of End-User Computing Devices and Related Facilities Standard 02/22/2010
PS0005 Off Site Storage Responsibility for designating locations for off-site storage of any form of information (non-electronic included). 02/22/2010

Read more »


Technical Security

Policy ID Policy Version
TS0001 Key Person Dependency - Information Technology To ensure all areas of responsibility for normal business are covered by trained IT personnel.
This policy has been deprecated and is preserved here only for historical purposes.
02/22/2010
TS0003 Logging & Information System Activity Review - Electronic Information Policy Logging and information policy regarding system activity involving information assets used by any individual.
This policy and associated standards will soon be replaced with a UF policy that is pending approval.
09/14/2004
TS0003.02 Logging & Information System Review Activity and Review Documentation Standard 09/14/2004
TS0005 User Account and Password Management
This policy has been replaced by the UF Account Management Policy and is preserved here only for historical purposes.
11/19/2004
TS0005.02 User Account and Password Management Standard
This standard has been replaced by the UF Authentication Management Standard and the UF Password Complexity Standard and is preserved here only for historical purposes.
03/09/2005
TS0006 Electronic Communications and Data Transmission Policy Minimum guidelines for acceptable forms of communication to include data, audio, video, and written transmissions in all forms of electronic communication except voice. 2/1/2017
TS0006.02 Electronic Communications and Data Transmission Standard 2/1/2017
TS0007 Malicious Software Controls Proactive security measures to prevent and detect malicious software, as well as raising awareness to recognize and report suspected intrusions of malicious software. 2/15/2017
TS0007.02 Software for Detecting Malicious Software
This standard has been deprecated and is preserved here only for historical purposes.
01/04/2005
TS0008 Network Security Authority and Responsibility Specifies authority for network infrastructure access. Applies to any individuals using network services. 2/1/2017
TS0008.02 IP Allocation and Use
This standard has been replaced by the UF Internet Protocol Address Assignment Policy and the UF Internet Protocol Address Assignment Standard and is preserved here only for historical purposes.
04/01/2008
TS0008.04 Responsibilities of the Network Service Provider
This standard has been deprecated and is preserved here only for historical purposes.
01/27/2005
TS0010 Portable Computing Device Security
This policy has been replaced by the UF Mobile Computing and Storage Devices Policy and is preserved here only for historical purposes.
02/05/2007
TS0010.02 Portable Computing Device Security Standard
This standard has been replaced by the UF Mobile Computing and Storage Devices Standard and is preserved here only for historical purposes.
02/05/2007
TS0011 Software Security Compliance Requirements for software used to access information to maintain adequate security features to prevent any unauthorized access to information assets.
This policy has been deprecated and is preserved here only for historical purposes.
04/01/2008
TS0011.01 General Software Security
This policy has been replaced by the UF Risk Management Policy and is preserved here only for historical purposes.
 
04/01/2008
TS0011.03 Web Application Security
This standard has been replaced by the UF Credit Card Policies and Directives and is preserved here only for historical purposes.
04/01/2008
TS0011.05 eCommerce Application and Card Holder Data
This standard has been replaced by the UF Software Security Guidelines and is preserved here only for historical purposes.
04/01/2008
TS0012 Computer Security Policy Security requirements for computers used for HSC business to prevent any unauthorized access to information assets. 2/15/2017
TS0012.02 UF Owned or Managed Computer Security Standard 2/15/2017
TS0012.04 Personally or Affiliate Owned Computer Security Standard
This policy is currently under review, please check back soon.
04/05/2009

Read more »