There are five total steps in the risk assessment process, if your project is determined to need a more thorough review. A high-level overview of each step is listed below:

Step 1 – Request: The request form includes approximately 14 questions, and this form is designed to facilitate…

Step 2 – Review Request: This is the initial step that evaluates the submitter’s scope of work to determine the following:

*What other administrative and compliance offices need to be involved in the review process?

*Can the risk assessment can be “fast-tracked”?

Step 3 – Categorization: The categorization form includes approximately 17 questions, and this form is designed to document high level technical information about the technology you are using. You may also attach supporting documents to this form, such as the data flow diagram.

Step 4 – Assessment: Based on your scope of work, your Information Security Manager (ISM) will need to complete anywhere from 1 to 4 surveys. Each survey is designed to gather information about various security controls in these areas: information system, application, device, and facility. Any remediation plan advised for the project is also introduced at this stage.

Step 5 – Proceed: This is the final step in the risk assessment process, as the risk assessment is complete. 

*Please note that not all request forms submitted go through all 4 steps of the risk assessment process.

A Data Flow Diagram or DFD is used to capture the main components of an Information System, how data moves within the system, user-interaction points, and the Authorization Boundary.

A good DFD includes the following:

  1. Indication of the ports/protocols/service of each component of the system.
  2. Indication of Network Zones (Closed Zone, Protected, DMZ, etc.).
  3. Indication of VPN requirements and where the users are coming in from (campus, HSC, outside internet, etc.).
  4. Indication of the physical location of these components and who manages each.
  5. A list of data base types and additional details on any servers and components running on them (apache, IIS, OS, FTP, etc.).
  6. The methods of user access to the system and the directional flow of information.
  7. Indication of any connections in which the system may exchange restricted information with another system.
  8. Indication of where any data is transferred to or accessed by a third party. This includes vendors, technical support or outsourced service providers.

DFDs can be made using Visio or Microsoft PowerPoint.

For more information on DFDs, please visit Creating an Information System / Data Flow Diagram

No. If you are purchasing or using technology that fits one of the Fast Path Solutions listed, and you follow the use guidelines of that solution presented on the IRM website, you do not need to submit a request form for a full assessment.

Note: If you are using the technology for a data type other than what is laid out in the guidelines, you are required to submit a request for risk assessment at

If you are required to submit a request form for a full risk assessment, here are some tips for expediting the process:

  1. Work closely with your department’s Information Security Manager (ISM). Your ISM is trained on the risk assessment process, and they can help get the information you need for the technical questions on the risk assessment forms. Search for your department ISM using this link:
  2. Work with your ISM to create a detailed data flow diagram. The diagram should include directional arrows that visualize how data flow between systems, including specific ports on the UF network. Visit the Information Security Office (ISO) website for more tips on creating the data flow diagram:
  3. Try to respond as quickly as possible when the Information Security Office (ISO) reaches out for information. Depending on your scope of work, the risk assessment process can include up to four steps, and each step includes a set of questions that must be answered.
  4. Contact IRM with any questions or concerns before and during the assessment.

The request form should be filled out by the person with the most knowledge about the project; this can be a faculty member, PI, fiscal assistant, or Information Security Manager (ISM).