Within 2 Business Days of the submission of your Request it will enter the Triage phase of the Risk Assessment process. In Triage, the Request may be moved into several categories requiring more information. You will receive emails to keep you up-to-date on the progress of your submission. If you have any questions please email, noting your Request number in the email’s subject line.

 The UF assessment process involves multiple units including, but not limited to:
  • Privacy Office
  • Information Security Office
  • Office of the General Counsel
  • Institutional Review Board
  • Procurement Services
  • Principal Investigator
  • Organizational Investigator
  • Vendor

Each Request is reviewed for the following criteria: security, privacy, and alignment with campus technology goals. This process involves multiple units, including the Information Security Office, the Privacy Office, the Office of the General Counsel, and Procurement Services. It will take 2 Business Days for a determination to be made by the departments involved with regards to the next steps for your Request. Please see Figure 1. UF Assessment Process Workflow and Figure 2. The 4 Stages Of  A Risk Assessment below for additional information.

The Information Security Office makes its determinations based on the classification of data being used for that project. Open, Sensitive, and Restricted are the three data classification types at UF, and each requires a different level of scrutiny for assessments. For more information about data classification please click here. Any vagueness and lack of specific information will delay the process, so please be as complete and specific as possible when completing the Request form.

The Privacy Office bases its decisions on the classification of data as well as data sharing and authorization to use restricted data. FERPA, HIPAA, COPPA, medical, and education records are all taken into consideration when making a determination. For more information on privacy policies please click here. If this study involves human subjects and no IRB is available when completing the Request, then the IRB office must be contacted, which will delay the project.

Procurement Services ensures that purchases have gone through the risk assessment process. If the purchase is a renewal then it will be approved for purchase in the Triage phase. If a purchase is over $75,000, a purchasing hold is placed on that project as it must go through the purchasing process. It is strongly recommended that you contact Procurement Services for purchases that exceed $75,000. Most commodity codes for IT purchases have been flagged and will not be processed until a Request is completed.

Alignment with technology goals of the University of Florida includes reducing the university’s overall risk by using environments that have been previously assessed (vetted). Your request will be directed towards a business relationship manager to help you determine if it can be implemented within a pre-vetted environment. Utilizing pre-vetted environments can substantially reduce the amount of time necessary to complete a risk assessment. You will receive emails to keep you informed during this process.

Figure 1. This figure illustrates the risk assessment process workflow and shows that multiple parties are involved in the risk assessment process.

Figure 2. This figure illustrates the four stages of a full risk assessment to detail the various steps at each stage of the process.