Unit Security Plans
The UF Information Security Plans Policy requires that each unit that manages some aspect of it’s own IT is responsible for creating and maintaining an information security plan. The Office of Internal Audit will verify these plans as a routine part of it’s audit program. To support the development of unit security plans, the university has prepared the following Unit Information Security Plan Specifications, documentation template, guidance, and references. The UF plan guidance is aligned with the NIST Cybersecurity Framework version 1.1, and closely mirrors the UF CSF Assessment Surveys.
Please direct any questions regarding these materials to the Information Security Risk Management team at ciso-isr@mail.ufl.edu.
Plan Specifications Publication Schedule
Specifications for each function will be published as they are developed, throughout the 2023-2024 fiscal year. Units are strongly encouraged to develop their corresponding plan elements as each is published.
Function | Specification Publication |
---|---|
Identify | October 2023 – released |
Protect | January 2024 – released |
Detect | April 2024 – released |
Respond & Recover | July 2024 |
Unit Information Security Plan Functions
Unit Information Security Plan Template
This template can be used to document unit information per the specifications. This template will be updated to include each function as the specifications are released.
Unit Information Security Plan Template (authentication required)
Frequently Asked Questions
The Information Security Office is not planning on reviewing or tracking unit information security plans. However, it is expected that the Office of Internal Audit will verify plans and their implementation as a part of it’s routine audit process.
As a plan, this document describes HOW the unit manages IT and security, but does not need to include the results of the processes. In the example of asset inventory, the plan should describe how asset inventory is conducted, what CI’s are inventoried, who is responsible for the inventory, how to access the inventory data, and how the inventory is used to manage assets – but the actual inventory results do not be included in the plan.