Risk Assessment Requirements

Risk logo

March 20, 2018 in Collegewide

Two years ago the University adopted a Risk Management Policy (http://www.it.ufl.edu/policies/information-security/risk-management-policy/) which has impacted the process for IT purchases significantly.  When faculty need new IT resources UFIT, the CIO, and the CSO strongly prefer the use of UFIT hosting solutions provided by Enterprise Infrastructure or Research Computing.  The primary reason for this is managing and controlling risk at the university.  By using UFIT provided services you are transferring the risk to UFIT and are aligning yourself with UF enterprise strategies.

By leveraging UFIT hosting and provided systems you will speed up your time to implementation since these systems have already gone through the vetting process with the Information Security & Compliance office.  Additionally, there are many other tangible benefits to using UFIT hosting: hardware redundancy, lifecycle management, secured environment, power/cooling management, backups, service management, etc. UFIT has significantly improved cost and service offerings over the last few years and more improvements are still coming.

UFIT and Information Security & Compliance has steadily improved the risk management process and rebranded it recently to Integrated Risk Management (IRM) (https://irm.security.ufl.edu/). This site documents processes for navigating the risk assessment, classifying data, finding storage solutions, and using ‘fast path’ solutions.  ‘Fast Path’ solutions are software, hardware, and cloud services that have already been vetted through the risk management process and available for use with limited, or no, risk assessment requirement.

If you are purchasing or using IT information systems that are not provided by UFIT, or not already vetted as a ‘fast path’ solution, chances are some sort of risk assessment is either needed or has already been completed by your local IT.  In some instances an Intake # is required to even submit a purchase requisition (software purchases for instance). Your local IT support will help you navigate that process by working with you to review pre-vetted environments and ‘fast path’ solutions and to submit a risk assessment intake on your behalf when necessary.  Make sure involve your local IT support early to insure enough time to work through this process.

If you have questions please let us know. We can either answer the question or direct you to the proper resources.

REFERENCES:

Risk Management Policy: https://it.ufl.edu/policies/information-security/risk-management-policy/
Risk Assessment Standard: https://it.ufl.edu/policies/information-security/related-standards-and-documents/risk-assessment-standard/
Integrated Risk Management: https://irm.security.ufl.edu/
Enterprise Infrastructure Hosting: https://hosting.it.ufl.edu/
Research Computing Services (storage, computing, apps, ResVault, etc): https://www.rc.ufl.edu/about/our-services