Information Security Leadership
Roles and Responsibilities
In order to foster shared responsibility for managing information security, the university has defined the roles and responsibilities for both IT and Non-IT members of the community.
- Information Technology Roles
- Non-IT Roles
Information Technology Roles
The CIO is responsible for, and has the authority to direct the architecture, security, and provisioning of IT services at UF. The CIO manages UFIT, which is the organization tasked with providing enterprise IT services to the university.
The CIO’s responsibilities include:
- Coordination of the information security program to manage risk within the university’s risk tolerance
- Executive sponsor of the university IT governance process which includes information security
- Provision of resources necessary to execute the information security program
- Implementation of IT systems that support information security goals and processes
- Maintain a list of the OneIT leadership
The CISO leads the university’s information security program, manages the Information Security Office, and reports to the Vice President and Chief Information Officer. The CISO is also appointed the role of Information Security Manager (ISM) as directed in FLBOG 3.0075 and is responsible for administering the information security program/policies/procedures.
The CISO’s responsibilities include creation, maintenance, and oversight of the university’s information security program, including:
- Information security policies
- Security awareness program
- Information security risk management program
- Incident detection and response
- Compliance with laws, regulations, and contracts with regards to information security
This position is the senior IT leader for a college or other major UF unit and is responsible to, and reports to the Vice President and Chief Information Officer in terms of how unit needs are being met consistent with UF-wide policies.
Responsibilities of the Director/Manager of IT include:
- Management, oversight, and security of all IT activities within their scope
- Coordinating use and provision of IT services and infrastructure, including the use of services and infrastructure not managed by the enterprise or contracted by the university, with the Office of the Vice President and Chief Information Officer
- Supervise Information Security Managers to ensure the risk management program is carried out within the unit
- Designate staff that operate under the direction and authority of the Director/Manager of IT to carry out IT and information security responsibilities within sub-units of the college or administrative unit
- Provide reporting on Key Performance Indicators to the College Dean/Administrative Unit Vice President and other leadership in order to facilitate understanding of the effectiveness of the information security program within the unit, and identify areas for improvement
Information Security Managers typically are in a technical leadership position within the unit and are responsible to the Director/Manager of IT for the implementation and oversight of technical controls and documentation related to information security of information systems managed or controlled by units they represent.
Specific responsibilities include:
- Assess and mitigate risks using the university approved process
- Immediately notify the UF Computer Security Incident Response Team (CSIRT) of High Severity incidents, and respond appropriately to Low Severity incidents
- Verify that information systems under their control, and those intended for acquisition or development by their unit, comply with authentication management requirements
- Implement Information Systems such that account authorizations are promptly enforced
- Implement backup systems and processes to ensure that RTO and RPO can be met for all data collected, stored or maintained on unit Information Systems
- Document backup system operation and test recovery capability
- Document and implement controls for all remote access methods implemented within their unit. ISMs are also responsible for monitoring of unit-implemented remote access methods for unauthorized use, and taking appropriate action upon discovery of unauthorized use, including notification of the UF Information Security Incident Response Team
- Monitor and review audit logs to identify and respond to inappropriate or unusual activity
- Create and maintain procedures and documentation to secure data centers, server rooms and telecommunication facilities
- Oversight of system security
- Unit procedures to document and control configurations and maintenance
This position is the senior leader of a college or university administrative unit such as a dean, vice presidents or director of a unit reporting directly to the Provost.
Responsibilities of the College Deans/Administrative unit Vice Presidents include:
- Designate a Director/Manager of IT, Information Security Manager (ISM) and Information Security Administrator (ISA) and inform the Office of the Vice President and Chief Information Officer
- Review Key Performance Indicators of the unit’s information security program, and provide guidance to the Director/Manager of IT, ISM and ISA on how the unit’s posture aligns with unit and university risk tolerance
- Provide direction to the Director/Manager of IT on the unit’s IT needs
- Provide direction to the ISM and ISA on the unit’s risk management strategy and tolerance
- Make final decisions on treatment of risk
Information Security Administrators typically are in an administrative leadership position within the unit and are responsible for ensuring the ISM and IT staff have appropriate support and resources to properly secure data and information systems, and implement university information security policies. The scope of responsibility of the Information Security Administrator is over information systems that the unit manages as well as third-party services the unit procures.
Specific responsibilities include, but not limited to, ensuring that processes are in place to facilitate the following:
- Risk assessments on Information Systems using the university approved process
- Procedures to properly authorize, modify or terminate accounts and permissions
- Establishment of RTO and RPO in conjunction with data users and owners for all data used within the unit, and verify that appropriate backup plans are implemented
- Procedures to respond to inappropriate or unusual activity on unit information systems
- Procedures to protect electronic media
- Procedures for training users to recognize and report information security incidents
- Procedures for the protection of unit workplaces and computing devices; Provision of appropriate facilities for unit servers, network and telecommunications equipment
- Development, maintenance, exercise and training of unit contingency plans
- Appropriate resources to maintain system security
All faculty, staff, students, volunteers, and other affiliates have a responsibility to participate in the university’s information security program. This includes working with unit IT staff and Information Security Leadership (ISM and ISA) to address information security concerns, and participate in the risk assessment process if needed, before implementing or upgrading information technology. Faculty and staff should make accommodations to use pre-vetted applications and systems when available.
Responsibilities of all members of the university community include:
- Completing the annual security awareness training and understanding their role in securing university data and information systems
- Complying with the Acceptable Use Policy
- Using university approved applications and systems to perform university work