Unit Security Plans

The UF Information Security Plans Policy requires that each unit that manages some aspect of it’s own IT is responsible for creating and maintaining an information security plan. The Office of Internal Audit will verify these plans as a routine part of it’s audit program. To support the development of unit security plans, the university has prepared the following Unit Information Security Plan Specifications, documentation template, guidance, and references. The UF plan guidance is aligned with the NIST Cybersecurity Framework version 1.1, and closely mirrors the UF CSF Assessment Surveys.

Please direct any questions regarding these materials to the Information Security Risk Management team at ciso-isr@mail.ufl.edu.

Plan Specifications Publication Schedule

Specifications for each function will be published as they are developed, throughout the 2023-2024 fiscal year. Units are strongly encouraged to develop their corresponding plan elements as each is published.

Function	Specification Publication
Identify	October 2023 – released
Protect	January 2024 – released
Detect	April 2024 – released
Respond & Recover	July 2024

Unit Information Security Plan Functions

Identify
Protect
Detect
Respond & Recover

Unit Information Security Plan Template

This template can be used to document unit information per the specifications. This template will be updated to include each function as the specifications are released.

Unit Information Security Plan Template (authentication required)

Frequently Asked Questions

Identify Function

Learn More

Protect Function

Learn More

Detect Function

Learn More

Do we have to submit the completed plans for approval?

The Information Security Office is not planning on reviewing or tracking unit information security plans. However, it is expected that the Office of Internal Audit will verify plans and their implementation as a part of it’s routine audit process.

Are we expected to duplicate information available elsewhere in the unit information security plan? For instance, if we use an automation tool to conduct asset inventories, would we include a copy of the results in the plan?

As a plan, this document describes HOW the unit manages IT and security, but does not need to include the results of the processes. In the example of asset inventory, the plan should describe how asset inventory is conducted, what CI’s are inventoried, who is responsible for the inventory, how to access the inventory data, and how the inventory is used to manage assets – but the actual inventory results do not be included in the plan.