Policies and Standards
Procedures & Standards
This section contains procedures and standards to be used by all machines connecting
to the usf.edu domain, as well as the personnel who use and administer them. The procedures
are reviewed annually by the Office of Information Security. Material changes are
also reviewed by University Audit and Compliance and the Office of General Counsel.
Compliance to the standards posted in this section is required.
ISSP-0000 - Security Plan
The USF IT Security Plan supplements the Official Security Policies, Standards, and Procedures that have been established for the University of South Florida. This security plan is intended to comply with the regulations and policies set down by the State of Florida, the University of South Florida, the Federal Information Security Management Act (FISMA), and other state and federal regulations.
ISSP-0000 - Network Security Plan
The USF IT Network Security Plan establishes guidelines for IT practices used on a day to day basis to provide a secure and robust computing environment. These practices are used in order to protect the mission, operation, and reputation of the University of South Florida and its information systems.
ISSP-001 - Data Classification Policy
This document offers guidelines for the classification of electronic resources within the University of South Florida according to their level of criticality and sensitivity.
ISSP-002 - Incident Response Procedure
Document Outlines steps taken during incidents involving data security at USF.
ISSP-003 - Access Control Standard
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents.
ISSP-004 - Removal of Network Access
USF must take immediate action to mitigate any threats that have the potential to pose a serious risk to the campus network, campus computers or the Internet. This document outlines situations in which machines connected to the USF network would have access suspended.
ISSP-005 - Choosing Strong Passwords
Passwords are the first line of defense on any system connected to the network. It is not enough to simply have any password associated with an account. Passwords must be chosen in such ways that the casual hacker would not gain access to the account simply by trying a few easy combinations.
ISSP-006 - Secure Computing
All computers connected to the network must be appropriately protected. Computers used at USF which contain information considered sensitive require additional measures of protection. This document outlines the recommended steps local administrators must take during the initial setup and ongoing maintenance of such computers.
ISSP-008 - Wireless Network Installations
This document covers some general wireless network installation guidelines that must be followed to ensure USF's campus-wide wireless offerings are compatible, provide mobility between locations, and prevent unauthorized access. Note: Please read this document carefully. Any unauthorized wireless router found on our network will have its connection turned off immediately.
ISSP-009 - Electronic Data and Media Disposal
Sensitive data, such as proprietary information and student information, may reside on various types of media throughout the University. Due to technological advancements, simple deletion or formatting does not provide enough protection of sensitive data. Deleted files usually will remain on the media for long periods of time, and many software tools are now available to recover such data. Once destroyed in the manner described, these files cannot be recovered. USF and/or the ISW are not responsible for unwanted effects the use of this software may cause. Do not use the methods described unless you are certain the data will no longer be needed.
ISSP-014 - Request for Storage of Social Security Numbers
The University of South Florida will no longer use nor permit the use of a Social Security Number (SSN) as an identifier for a person in any University of South Florida information system unless the use of the SSN is imperative for the performance of the University of South Florida's duties and responsibilities as prescribed by law.
ISSP-015 - Network Segmentation
In order to improve the security posture of the servers part of the IT SVC Data Center and Winter Haven Data Center, the IT's Office of Information Security, in conjunction with Communications Infrastructure and the Data Center Infrastructure group have established a set of network procedures to be followed when setting up a server.
ISSP-017 - Vendor Assessment and IT Integration Form
Vendor will complete this questionnaire.
ISSP-018 - Change Management Standard
This document defines a consistent approach to manage changes to the IT environment at USF and also outlines the procedure for request, approval, implementation, and review of direct SQL updates to OASIS (Banner), GEMS, and FAST (Peoplesoft) databases.
ISSP-019 - Major IT Services by Affiliation
The document lists the primary affiliations a person may have at USF, which major services someone with each primary affiliation is eligible for, and what happens with each service once the person no longer has an eligible primary affiliation.
ISSP - 022 - IT Resources Purchasing Standards and Thresholds
This document outlines how to differentiate standard purchases from those requiring special approval.
ISSP - 023 - Controlled Technical Information System Security Plan
This document compiles information for the system security, expectations and responsibilities by area for projects identified by the USF Export Control Office to require such documentation.
ISSP - 025 - Physical and Environment Protection Standard
The purpose of this standard is to define and document the procedures to facilitate the implementation and
management of physical and environmental controls in the Data Centers at the University of South Florida, in compliance with the requirements put forth by NIST 800-53 and the NIST Cybersecurity Framework.
ISSP - 026 - Training and Awareness Plan
This document outlines awareness-raising methods for personnel to understand the importance of information security management and their contribution to the University of South Florida accept policies and plans, and understand the consequences of breaching the information security rules.
ISSP - 027 - Log Management
The collection, storage and analysis of logs is a critical information security and compliance control. Deficiencies in security logging and analysis may allow attackers to hide their location, malicious software, and malicious activities on compromised machines. Even with the knowledge that systems have been compromised, without protected and complete logging records, security professionals are blind to the details of the attack and to subsequent actions
taken by the attackers. Without solid audit log management, an attack may go unnoticed indefinitely and the damage done may be irreversible.