Protect Function

Specification Documents

Unit Information Security Plan Specification – PROTECT (Authentication Required)

Additional Guidance


Inventories of unit-managed non-Gatorlink accounts should be done in a priority order that focuses on the data classification the accounts will have access to and the business impact of the related system(s) where the accounts will be used.  Effort should be taken to have at a minimum an inventory of all unit-managed systems where non-Gatorlink accounts are in use to include a mechanism to inventory the accounts on-demand.


Additional guidance for unit practices to provide identity proofing to be provided as part of the IAM modernization project that is currently in progress.  The related key requirements and informative references for this subcategory will be updated once the new guidance is available for distribution.


The following example is based on language included in UFIT position descriptions:

IT staff occupy a position of special trust with duties that bring them into contact with critical or sensitive data or with information that requires protection, such as FERPA, HIPAA, and PII data.  The incumbent is expected to access this data only for valid business purposes and it is the employee’s duty to protect the confidentiality of this data and to report all potential violations.  Employee is trained to observe federal, state, and university privacy regulations and adhere to all UF and UFIT policies and procedures for confidentiality.

Annual certifications in handling HIPAA, FERPA, and SSN data by completing the following courses:
Course Name                                                                    Course Number
HIPAA                                                                              PRV800
FERPA Basics                                                                 PRV802
Protecting SS Numbers & Identity Theft Prevention    PRV804
Protecting UF: Information Security Training                 ITT102

Data Classification Guidelines and consequences of disclosure are located at:


To support the requirements for the protection of Restricted data on personally managed mobile devices, units should require compliance with the UF Mobile Computing and Storage Devices Policy and report issues of non-compliance to the appropriate dean, director, or department chair.


The determination for the use of a separate development environment for unit-managed information systems should follow a business impact assessment where the risk of potential system outages from planned and unplanned events is evaluated.  An example scenario where a separate non-production environment is most practical is a highly utilized information system that undergoes frequent changes and must maintain high-availability.