Risk Management Policy
UF ADMINISTRATIVE MEMO
Elias G. Eldayrie, Vice President and CIO
Risk Management Policy
All Information Systems purchased for use at the University of Florida must be
assessed for risk that can result in threats to the integrity, availability and
confidentiality of university data. Assessments must be completed prior to
purchase of, or before significant changes to, an information system, and
periodically re-assessed during the system’s lifetime. The initial focus of this effort
will be on systems that store, process or transmit Restricted Data.
For the purposes of compliance with this policy, an Information System includes,
but is not limited to, an individual piece of computing equipment or software, or
a collection of computing and networking equipment and software used to
perform a distinct business function. Examples include the e-Learning System,
ISIS, the EPIC electronic medical records system, a lab system and associated PC
or desktop computers used to perform general duties in a department.
The University of Florida must take every measure possible to protect data stored
on information systems from unauthorized disclosures, loss, or theft. The
university’s Information Security Risk Management Policy
establishes a process to assess, minimize, and approve information systems risks.
This policy states that existing information systems, along with those proposed
for purchase, be assessed for security risks. Colleges and departments are
responsible for coordinating with the Information Security Office in advance of
any information system purchase so a thorough assessment can be conducted. A
review of the plan established by the UF college or department for securing that
information system must also be submitted for evaluation. This requirement
applies to software and hardware that will be physically located at UF as well as
services accessed via the Internet commonly referred to as ‘Cloud’ services.
In many cases, deans and department chairs will be asked to accept residual risks
prior to allowing the purchase or implementation of an information system. The
Information Security Office will provide recommendations, but it is essential that
deans and chairs carefully consider the risks and benefits to the university before
accepting significant risks. More information about the information security risk
management process can be found at https://security.ufl.edu/it-workers/risk-assessment/.
NOTE: This and other Administrative Memos are maintained at:
(ALL ATTACHMENTS TO ORIGINAL MEMOS ARE POSTED HERE)