Unit Security Plans

The UF Information Security Plans Policy requires that each unit that manages some aspect of it’s own IT is responsible for creating and maintaining an information security plan. The Office of Internal Audit will verify these plans as a routine part of it’s audit program. To support the development of unit security plans, the university has prepared the following Unit Information Security Plan Specifications, documentation template, guidance, and references. The UF plan guidance is aligned with the NIST Cybersecurity Framework version 1.1, and closely mirrors the UF CSF Assessment Surveys. 

Please direct any questions regarding these materials to the Information Security Risk Management team at ciso-isr@mail.ufl.edu

Plan Specifications Publication Schedule

Specifications for each function will be published as they are developed, throughout the 2023-2024 fiscal year. Units are strongly encouraged to develop their corresponding plan elements as each is published. 

FunctionSpecification Publication
IdentifyOctober 2023 – released
ProtectJanuary 2024 – released
DetectApril 2024 – released
Respond & RecoverJuly 2024

Unit Information Security Plan Functions

Unit Information Security Plan Template

This template can be used to document unit information per the specifications. This template will be updated to include each function as the specifications are released. 

Unit Information Security Plan Template (authentication required)

Frequently Asked Questions

Identify Function

Learn MoreLearn More

Protect Function

Learn MoreLearn More

Detect Function

Learn MoreLearn More

The Information Security Office is not planning on reviewing or tracking unit information security plans. However, it is expected that the Office of Internal Audit will verify plans and their implementation as a part of it’s routine audit process. 

As a plan, this document describes HOW the unit manages IT and security, but does not need to include the results of the processes. In the example of asset inventory, the plan should describe how asset inventory is conducted, what CI’s are inventoried, who is responsible for the inventory, how to access the inventory data, and how the inventory is used to manage assets – but the actual inventory results do not be included in the plan.