Policies and Standards

Procedures & Standards

This section contains procedures and standards to be used by all machines connecting to the usf.edu domain, as well as the personnel who use and administer them. The procedures are reviewed annually by the Office of Information Security. Material changes are also reviewed by University Audit and Compliance and the Office of General Counsel. Compliance to the standards posted in this section is required.

ISSP-0000 - Security Plan
The USF IT Security Plan supplements the Official Security Policies, Standards, and Procedures that have been established for the USF System. This security plan is intended to comply with the regulations and policies set down by the State of Florida, the University of South Florida, the Federal Information Security Management Act (FISMA), and other state and federal regulations.

ISSP-0000 - Network Security Plan
The USF IT Network Security Plan establishes guidelines for IT practices used on a day to day basis to provide a secure and robust computing environment. These practices are used in order to protect the mission, operation, and reputation of the USF System and its information systems.

ISSP-001 - Data Classification Policy
This document offers guidelines for the classification of electronic resources within the University of South Florida according to their level of criticality and sensitivity.

ISSP-002 - Incident Response Procedure
Document Outlines steps taken during incidents involving data security at USF.

ISSP-003 - Password Management Standards
Minimum Account Lockout and Password Policy settings for servers belonging to the usf.edu forest.

ISSP-004 - Removal of Network Access
USF must take immediate action to mitigate any threats that have the potential to pose a serious risk to the campus network, campus computers or the Internet. This document outlines situations in which machines connected to the USF network would have access suspended.

ISSP-005 - Choosing Strong Passwords
Passwords are the first line of defense on any system connected to the network. It is not enough to simply have any password associated with an account. Passwords must be chosen in such ways that the casual hacker would not gain access to the account simply by trying a few easy combinations.

ISSP-006 - Securing Sensitive Computers
All computers connected to the network must be appropriately protected. Computers used at USF which contain information considered sensitive require additional measures of protection. This document outlines the recommended steps local administrators must take during the initial setup and ongoing maintenance of such computers.

ISSP-008 - Wireless Network Installations
This document covers some general wireless network installation guidelines that must be followed to ensure USF's campus-wide wireless offerings are compatible, provide mobility between locations, and prevent unauthorized access. Note: Please read this document carefully.  Any unauthorized wireless router found on our network will have its connection turned off immediately.

ISSP-009 - Electronic Data and Media Disposal
Sensitive data, such as proprietary information and student information, may reside on various types of media throughout the University. Due to technological advancements, simple deletion or formatting does not provide enough protection of sensitive data. Deleted files usually will remain on the media for long periods of time, and many software tools are now available to recover such data. Once destroyed in the manner described, these files cannot be recovered.  USF and/or the ISW are not responsible for unwanted effects the use of this software may cause.  Do not use the methods described unless you are certain the data will no longer be needed.

ISSP-012 -  Data Protection Standards for Mobile Devices
All laptops purchased by the University must have approved whole disk encryption software installed to better protect Personal Identifiable Information (PII).

ISSP-014 -  Request for Storage of Social Security Numbers
The USF System will no longer use nor permit the use of a Social Security Number (SSN) as an identifier for a person in any USF System information system unless the use of the SSN is imperative for the performance of the USF System's duties and responsibilities as prescribed by law.

ISSP-015 - Server Address Assignment and ACL Requests
In order to improve the security posture of the servers part of the IT SVC Data Center and Winter Haven Data Center, the IT's Office of Information Security, in conjunction with Communications Infrastructure and the Data Center Infrastructure group have established a set of network procedures to be followed when setting up a server.

ISSP-017 - Vendor Assessment and IT Integration Form
Vendor will complete this questionnaire.

ISSP-018 - Change Management Standard
This document defines a consistent approach to manage changes to the IT environment at USF and also outlines the procedure for request, approval, implementation, and review of direct SQL updates to OASIS (Banner), GEMS, and FAST (Peoplesoft) databases.

ISSP-019 - Major IT Services by Affiliation
The document lists the primary affiliations a person may have at USF, which major services someone with each primary affiliation is eligible for, and what happens with each service once the person no longer has an eligible primary affiliation.

ISSP- 020 - User and System Documentation
This document outlines responsibility for updating user and system documentation associated with changes made to USF information technology systems. Good practice requires updates to documentation when system changes are made.

ISSP - 021 - Use of 3D Printing Resources
The policy provided offers standards, guidelines and limitations to printing in 3D.

ISSP - 022 - IT Resources Purchasing Standards and Thresholds
This document outlines how to differentiate standard purchases from those requiring special approval.

ISSP - 023 - Controlled Technical Information System Security Plan
This document compiles information for the system security, expectations and responsibilities by area for projects identified by the USF Export Control Office to require such documentation.

ISSP - 025 - Physical and Environment Protection Standard
The purpose of this standard is to define and document the procedures to facilitate the implementation and
management of physical and environmental controls in the Data Centers at the University of South Florida, in compliance with the requirements put forth by NIST 800-53 and the NIST Cybersecurity Framework.

ISSP - 026 - Training and Awareness Plan
This document outlines awareness-raising methods for personnel to understand the importance of information security management and their contribution to the USF System accept policies and plans, and understand the consequences of breaching the information security rules.