Each Information Security policy includes specific responsibilities of the ISA and ISM in regards to that policy. Each unit is responsible for designating employees to fill the Information Security Leadership roles, and allocating an appropriate amount of effort to fulfilling the duties of these roles.
Information Security Managers
Information Security Managers typically are in a technical leadership position within the unit and are responsible for the implementation and oversight of technical controls and documentation related to information security of information systems managed or controlled by units they represent.
Specific responsibilities include:
- Assess and mitigate risks using the university approved process. (Risk Management Policy)
- Immediately notify the UF Computer Security Incident Response Team (CSIRT) of High Severity incidents; Respond to, and report on, Low Severity incidents according to procedures established by the Information Security Office. (Incident Response Policy)
- Verify that information systems under unit control, and those intended for acquisition or development by their unit, comply with authentication management requirements. (Authentication Management Policy)
- Implement Information Systems such that account authorizations are promptly enforced. (Account Management Policy)
- Implement backup systems and processes to ensure that RTO and RPO can be met for all data collected, stored or maintained on unit Information Systems. Document backup system operation and test recovery capability. (Backup and Recovery Policy)
- Document and implement controls for all remote access methods implemented within their unit. ISMs are also responsible for monitoring of unit-implemented remote access methods for unauthorized use, and taking appropriate action upon discovery of unauthorized use, including notification of the UF Information Security Incident Response Team. (Remote Access Policy)
- Monitor and review audit logs to identify and respond to inappropriate or unusual activity (Audit and Logging Policy)
- Create and maintain procedures and documentation to secure data centers, server rooms and telecommunication facilities. (Physical Security of Information Technology Resources Policy)
Information Security Administrators
Information Security Administrators typically are in an administrative leadership position within the unit and are responsible for ensuring the ISM and IT staff have appropriate support and resources to properly secure data and information systems and implement university information security policies. The scope of responsibility of the Information Security Administrator is over information systems that the unit manages as well as third-party services the unit procures.
Specific responsibilities include, but not limited to, ensuring that processes are in place to facilitate the following:
- Risk assessments on Information Systems using the university approved process (Risk Management Policy)
- Procedures to properly authorize, modify or terminate accounts and permissions (Account Management Policy)
- Establishment of RTO and RPO in conjunction with data users and owners for all data used within the unit, and verify that appropriate backup plans are implemented (Backup and Recovery Policy)
- Procedures for reporting and handling of inappropriate or unusual activity (Audit and Logging Policy)
- Procedures to protect electronic media. (Control of Electronic Media Policy)
- Procedures for training users to recognize and report information security incidents (Incident Response Policy)
- Procedures for the protection of unit workplaces and computing devices; Provision of appropriate facilities for unit servers, network, and telecommunications equipment (Physical Security of IT Resources Policy)