Policy Statement

To establish a process to manage risks to the University of Florida that result from threats to the confidentiality, integrity and availability of University Data and Information Systems


This policy applies to all electronic data created, stored, processed or transmitted by the University of Florida, and the Information Systems used with that data.


Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Policy Specifics

  1. All Information Systems must be assessed for risk to the University of Florida that results from threats to the integrity, availability and confidentiality of University of Florida Data. Assessments should be completed prior to purchase of, or significant changes to, an Information System; and at least every 2 years for systems that store, process or transmit Restricted Data. 
  2. Risks identified by a risk assessment must be mitigated or accepted prior to the system being placed into operation. 
  3. Residual risks may only be accepted on behalf of the university by a person with the appropriate level of authority as determined by the Chief Privacy Officer and Chief Information Security Officer. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.
  4. Each Information System must have a system security plan, prepared using input from risk, security and vulnerability assessments.

Review and Adjudication

  1. Information Security Administrators (ISAs) are responsible for ensuring that their unit conducts risk assessments on Information Systems, and uses the university approved process.
  2. Information Security Managers (ISMs) are responsible for assessing and mitigating risks using the university approved process.
  3. Information System Owners (ISOs) are responsible for ensuring that information systems under their control are assessed for risk and that identified risks are mitigated, transferred or accepted.
  4. The Vice President and Chief Information Officer (CIO) is responsible for implementing systems and specifications to facilitate unit compliance with this policy.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.


Revision DateDescription
February 6, 2020 Policy originally adopted
  Policy updated