Risk Management Policy

Published: November 12th, 2015

Category: Security Team Blog




Elias G. Eldayrie, Vice President and CIO



Risk Management Policy


All Information Systems purchased for use at the University of Florida must be

assessed for risk that can result in threats to the integrity, availability and

confidentiality of university data.  Assessments must be completed prior to

purchase of, or before significant changes to, an information system, and

periodically re-assessed during the system’s lifetime. The initial focus of this effort

will be on systems that store, process or transmit Restricted Data.


For the purposes of compliance with this policy, an Information System includes,

but is not limited to, an individual piece of computing equipment or software, or

a collection of computing and networking equipment and software used to

perform a distinct business function.  Examples include the e-Learning System,

ISIS, the EPIC electronic medical records system, a lab system and associated PC

or desktop computers used to perform general duties in a department.


The University of Florida must take every measure possible to protect data stored

on information systems from unauthorized disclosures, loss, or theft.  The

university’s Information Security Risk Management Policy


establishes a process to assess, minimize, and approve information systems risks.


This policy states that existing information systems, along with those proposed

for purchase, be assessed for security risks. Colleges and departments are

responsible for coordinating with the Information Security Office in advance of

any information system purchase so a thorough assessment can be conducted. A

review of the plan established by the UF college or department for securing that

information system must also be submitted for evaluation. This requirement

applies to software and hardware that will be physically located at UF as well as

services accessed via the Internet commonly referred to as ‘Cloud’ services.


In many cases, deans and department chairs will be asked to accept residual risks

prior to allowing the purchase or implementation of an information system. The

Information Security Office will provide recommendations, but it is essential that

deans and chairs carefully consider the risks and benefits to the university before

accepting significant risks.   More information about the information security risk

management process can be found at https://security.ufl.edu/it-workers/risk-assessment/.



NOTE: This and other Administrative Memos are maintained at:




Comments are currently closed.