Risk Management Policy

Elias G. Eldayrie, Vice President and CIO

All Information Systems purchased for use at the University of Florida must be assessed for risk that can result in threats to the integrity, availability and confidentiality of university data.  Assessments must be completed prior to purchase of, or before significant changes to, an information system, and periodically re-assessed during the system’s lifetime. The initial focus of this effort will be on systems that store, process or transmit Restricted Data.

For the purposes of compliance with this policy, an Information System includes, but is not limited to, an individual piece of computing equipment or software, or a collection of computing and networking equipment and software used to perform a distinct business function.  Examples include the e-Learning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or desktop computers used to perform general duties in a department.

The University of Florida must take every measure possible to protect data stored on information systems from unauthorized disclosures, loss, or theft. The university’s Information Security Risk Management Policy http://www.it.ufl.edu/policies/information-security/risk-management-policy/ establishes a process to assess, minimize, and approve information systems risks.

This policy states that existing information systems, along with those proposed for purchase, be assessed for security risks. Colleges and departments are responsible for coordinating with the Information Security Office in advance of any information system purchase so a thorough assessment can be conducted. A review of the plan established by the UF college or department for securing that information system must also be submitted for evaluation. This requirement applies to software and hardware that will be physically located at UF as well as services accessed via the Internet commonly referred to as ‘Cloud’ services.

In many cases, deans and department chairs will be asked to accept residual risks prior to allowing the purchase or implementation of an information system. The Information Security Office will provide recommendations, but it is essential that deans and chairs carefully consider the risks and benefits to the university before accepting significant risks.  More information about the information security risk management process can be found at https://security.ufl.edu/it-workers/risk-assessment/.