The Florida Board of Governors has issued an emergency proposed regulation aiming to ban the use of TikTok on university campuses. The regulation outlines the technology each university should ban and how the state plans to enforce those regulations.

TikTok has already been banned within several government buildings over data privacy concerns. To manage these concerns, each university has to appoint an information security manager (ISM). This appointment may be combined with other duties/positions and is responsible for administering the information security program/policies/procedures of their respective institution.

Each university must develop and annually review and update an information security plan. Each plan may be customized to meet the specific conditions at each university but shall be based upon best practices acquired from recognized national industry standards published by authoritative groups such as: National Institute of Standards (NIST), Information Systems Audit and Control Association (ISACA), International Organization of Standards (ISO), Center for Internet Security (CIS) or other nationally recognized information security organizations.

Each information security plan must address the following:

  • The creation of an information security risk management program which includes risk/self-assessment components.
  • Compliance with applicable federal and state laws and regulations related to privacy and security of data held by the institution.
  • Clarifying roles and responsibilities for safeguarding and use of sensitive/confidential data.
  • Creation and maintenance of an inventory of stores of sensitive/confidential information and who has access to such information.
  • Policies and procedures regarding access control and transmission of sensitive/confidential data with an emphasis on providing an auditable chain of custody and encryption.
  • Distribution of clear and documented procedures for reporting and handling security violations and the consequences for violating security policies and procedures.
  • Methods for ensuring that information regarding the applicable laws, regulations, guidelines and policies is distributed and readily available to computer users.
  • Processes for verifying adherence to the information security plan associated policies and procedures.

Each university must make its information security plan, IT audits, IT risk assessments and inventories of known stores of confidential data appropriately available to the Board's assistant vice chancellor of ITS upon request.

Universities must use a state-approved cyber threat prohibited technologies list. This list shall be a consolidated list originating from threat intelligence sources, including but not limited to the Federal Department of Homeland Security, the Federal Bureau of Investigations and the Florida Fusion Center.

Universities must implement the following protection protocol for identified prohibited technologies:

  • Prevent identified software network traffic over the university's network, including Wi-Fi.
  • Prevent installation of all identified software from university-owned devices.
  • Remove all identified technologies from university-owned devices or infrastructure.
  • Prevent the installation of any identified hardware within the university's infrastructure.

Universities may develop policies and procedures for granting exceptions for the use of identified technologies. Those policies and procedures must include the following components:

  • A requirement that specific criteria be identified and used for evaluating the need for an exception.
  • A requirement that exceptions be evaluated by the information security risk management program.
  • A requirement that all exceptions be reviewed and approved by the university's chief information officer or executive officer identified with similar duties.
  • A requirement that all exceptions be reviewed and approved by the university's information security manager (ISM).
  • A requirement that compensating security controls be identified and implemented to limit the risk posed by the specified software or hardware.
  • Exceptions must be reviewed annually using the defined exception process to determine if continuation is warranted.