Information Security

Security Program for the Information and Computing Environment (SPICE)

On April 14, 2003, a proposal to initiate a project for developing a security program for the information and computing environment of the Health Science Center (HSC) was presented to Dr. Douglas Barrett, Vice President for Health Affairs. Subsequent presentations were made to the Health Science Center Deans and Dr. Chuck Frazier, University of Florida Vice Provost for Information Technology. The security program for the information and computing environment (SPICE) has been subsequently approved and efforts to assess and secure the HSC data infrastructure is already underway. (more)

Workforce Security Training Requirement

Everyone is responsible for information security including UFHSC leadership, management, faculty, staff, students and volunteers. The UFHSC Security Program requires annual training of the workforce in information security concepts, securing protect information and security best practices. (required training)

Information Classification

The University of Florida is the owner of information generated or used by University employees while in the employ and conducting the business of the University, no matter where that information resides. As Owner, the University of Florida is responsible for prescribing certain levels of protection for information whose loss, corruption or unauthorized disclosure results in some level of adversity for the University or an individual. Levels of protection can be costly and not all types of information need to be protected at the same level. Going through a thoughtful effort to classify information types can help a College, Department or Unit decide on a rational information security implementation. Information must be classified into one of four classifications; Restricted, Sensitive, Operational or Unrestricted. When classifying information consider, how important (high, medium or low) it is to keep it confidential, how important (high, medium or low) its integrity is, and how important (high, medium or low) it is to be available. (more on how information should be classified)

Contingency Planning

Each Unit shall maintain a written contingency plan. The format of standard CP0001 may be used. It is the intent that Standard CP0001 provides a format that facilitates meeting all requirements of contingency planning policy. It is the responsibility of the Unit Information Security Administrator to ensure that all requirements of the contingency planning policies are satisfied.