Policy Number: 12-025

Risk Management Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose To establish a process to manage risks to the University of Florida that result from threats to the confidentiality, integrity and availability of University Data and Information Systems. 

  2. Applicability This policy applies to all electronic data created, stored, processed or transmitted by the University of Florida, and the Information Systems used with that data. 

  3. Definitions

    Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

    Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

    University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
  4. Policy Statement All Information Systems must be assessed for risk to the University of Florida that results from threats to the integrity, availability and confidentiality of University of Florida Data. Assessments should be completed prior to purchase of, or significant changes to, an Information System; and at least every 2 years for systems that store, process or transmit Restricted Data. 
    •  Risks identified by a risk assessment must be mitigated or accepted prior to the system being placed into operation. 
    • Residual risks may only be accepted on behalf of the university by a person with the appropriate level of authority as determined by the Chief Privacy Officer and Chief Information Security Officer. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated. 
    • Each Information System must have a system security plan, prepared using input from risk, security and vulnerability assessments. 

Additional Resources

RISK ASSESSMENT STANDARD

Purpose

To establish a process for assessing Information Systems for risks to systems and data; documenting and communicating those risks to university leadership to make decisions regarding the treatment or acceptance of those risks. The security and privacy of Restricted Data will be a primary focus of risk assessments.

Standard

  1. Risk assessments will be conducted:
    • Prior to acquisition of Information Systems.
    • When an existing Information System undergoes a significant change in technology or use that would affect its risk posture. Examples include significant software upgrades, changes in hosting platforms or vendors, or changes in the data classification or volume of records stored, processed or transmitted by the system.
    • At least every two years for systems that store, process or transmit Restricted Data and three years for all other systems.
  2. The approved university risk assessment process will include the following:
    • The scope of the assessment.
    • An assessment of security control implementation.
    • Report documenting threats, vulnerabilities and risks associated with the Information System.
    • Recommendations to increase the security posture of the Information System.
  3. The Information Security Office will retain Risk Assessment records according to the university records retention schedules and applicable laws.

References

SEC‑RM‑001: Information Security Risk Management Policy

More Information

RELATED POLICIES

PDF DOWNLOADS

SYSTEM SECURITY PLANS STANDARD

Purpose:

To describe required elements of a system security plan

Standard:

  1. System security plans include the following:
    1. Description of the operational context.
    2. System categorization and information classifications of data to be used with the system, along with supporting justifications for those decisions.
    3. Inventory of the components that constitute the information system.
    4. Connections between the information system and any other systems.
    5. Overview of security requirements.
    6. Security controls that are in place or planned for implementation, including user responsibilities and how users will be trained.
    7. Dates and milestones for implementation of planned security controls, and remediation of vulnerabilities.
  2. Security plans must be reviewed and approved by the unit’s Information Security Administrator (ISA) and Information Security Manager (ISM).
  3. Security plans must be updated as part of any significant upgrades, configuration changes or software development. Plans must also be updated to reflect needed remediation when vulnerabilities or control deficiencies are identified. Security plans must be reviewed and updated at least every three years.

References:

SEC–‐‑RM–‐‑001: Information Security Risk Management Policy

MALICIOUS SOFTWARE CONTROL STANDARD

PURPOSE:

To provide guidance on when malicious software controls are needed and how they should be configured.

STANDARD:

  1. Anti-virus and anti-malware software shall be implemented on all computing devices for which such software is commonly available. Email systems will scan incoming and outgoing messages for malicious content.
  2. Updates needed for anti-virus and anti-malware software to detect new threats shall be installed within 14 days of release by the vendor.
  3. Controls that only allow execution of pre-authorized code are strongly recommended, as are other configuration options to minimize the effect of malicious software such as preventing execution from temporary directories.
  4. Malicious software controls should be configured to scan files and data as it is downloaded, stored and accessed, with periodic scans of all storage.
  5. Malicious software controls should be configured to alert IT staff of infections, and IT staff will take prompt action to isolate or remove malicious code according to the UF Incident Response Procedures.
  6. Malicious software controls may not be disabled or configured to reduce their effectiveness without formal authorization of the unit ISM, who will document such authorization, and require re-enabling of the controls once the authorization expires.

 

REFERENCES:

Revision Date Description
Policy originally adopted
 Aug 1, 2022 Policy updated

 

 

EXTERNAL IT VENDOR SOURCING STANDARD

PURPOSE:

To specify security requirements for the acquisition of information technology products and services in which University of Florida Data is stored, processed or transmitted by an entity not under control of the university. Typically this covers outsourced services, server hosting, Managed Service Providers (MSPs), Software as a Service (SaaS), Infrastructure as a Service (IaaS) and “Cloud” computing services.

STANDARD:

  1. Service Level Agreements will address the following topics to the satisfaction of the university, based upon the needs of the project:
    1. Availability
    2. Data preservation and destruction after termination of service
    3. Backups
    4. Intellectual property considerations
    5. Remedies for failure to perform
  2. Externally-hosted applications and services used by the university must authenticate users using Gatorlink SSO, unless the primary user base includes those not eligible to obtain Gatorlink accounts.
  3. External IT Vendors that will store, process or transmit Restricted Data must:
    1. Sign a Data Security Agreement stating their responsibility to protect University of Florida Data; comply with all UF Security Policies and Standards as well as applicable laws and regulations; screen and monitor personnel; and specifying legal liability.
    2. Provide external validation of the vendor’s compliance with required controls. This validation can consist of a reliable third-party audit, certification, attestation, or an assessment conducted by the university.
    1. Sign a Data Security Agreement stating their responsibility to protect University of Florida Data; comply with all UF Security Policies and Standards as well as applicable laws and regulations; screen and monitor personnel; and specifying legal liability.
    2. Provide external validation of the vendor’s compliance with required controls. This validation can consist of a reliable third-party audit, certification, attestation, or an assessment conducted by the university.
  4. External IT Vendors that will store, process, transmit or otherwise have access to Protected Health Information must sign a Business Associate Agreement.
  5. Periodic review of vendor’s controls and continued compliance will be conducted as needed, based upon significant changes to the use of the system, system design or controls, and at least every two years for projects that store, process or transmit Restricted Data and every three years for all other projects..
  6. Documentation of evaluations, assessments and reviews must be retained according to university records retention schedules and applicable laws.

 

REFERENCES:

SEC-RM-001: Information Security Risk Management Policy

Revision Date Description
Policy originally adopted
 Aug 1, 2022 Policy updated

History

Revision Date Description
February 6, 2020 Policy originally adopted
Policy updated