All Information Systems purchased for use at the University of Florida must be assessed for risk that can result in threats to the integrity, availability and confidentiality of university data. Assessments must be completed prior to purchase of, or before significant changes to, an information system, and periodically re-assessed during the system’s lifetime. The initial focus of this effort will be on systems that store, process or transmit Restricted Data.
The UF Security office has implemented a risk management policy. There was an administrative memo on this issues November 12, 2015. The memo is copied below. In short, the memo states that you can’t purchase anything related to information technology with completing a risk assessment form. A risk assessment will take 2 to 12 weeks to process from the time your IT staff gets the information submitted. As your IT staff does not know the details of your research they are not able to fill out the forms without your input. The IT staff is aware of the burden of extra work this places on the instructors and researcher. We are here to help you with this process. Please allow an appropriate time for processing between your desire to purchase a data system and your need to use it.
Pages and Forms
- Administrative Memo on UF’s Risk Management policy.
- Risk assessment start page – IT staff take the information submitted by the non-IT staff (previous link) and upload it here.
Email from Rob Adams, Chief Information Security Office
July 08, 2016
An Administrative Memo on UF’s Risk Management policy was issued November 12, 2015. The internal procurement controls now in place at UF are a result of this memo. There has been some confusion over the list of technology purchases impacted by this policy. For your reference, a more clearly articulated list is provided here. The list of technology purchases impacted by UF’s Risk Management policy includes (but is not limited to):
- New software purchases, license renewals on existing (previously purchased) software, any equipment with pre-installed software, and software development contracts. Examples include an add-on feature purchased to use with a UF website or e-Learning system; or a survey collection, statistical, or research analysis tool
- Any computing storage technology that will hold UF data (e.g., NAS, SAN, and cloud storage services that will store UF data)
- Computing hardware, like a server and, when appropriate, other personal computing devices
Purchasing any of the above requires a Risk Assessment. The Risk Assessment identifies specific security and privacy risks the potential purchase may have. Requisitions submitted in myUF Market will be held until a Risk Assessment is complete and the required documentation is uploaded with the requisition. To begin the Risk Assessment process, go to: https://security.ufl.edu/it-workers/risk-assessment/. This is a comprehensive information gathering procedure involving multiple units of the university. Depending on the technology, the Privacy Office and the Office of the General Counsel may be involved, in addition to UF Procurement Services and UF’s Information Security Office.
Anyone with questions about UF’s Risk Management policy may email them to firstname.lastname@example.org.
There are several Cyber Security courses provided by the University of Florida. These courses have been customized to deal with the unique environment that is UF. You can find these courses, and other, at https://training.it.ufl.edu/.
Policies and Procedures
Below are the list of policies and procedures that must be read and understood for a risk assessment to be completed: