Review Request


Within two business days of the submission of your Request it will enter the Review Request phase of the Risk Assessment process. In Review Request, the Request may be moved into several categories requiring more information. You will receive emails to keep you up-to-date on the progress of your submission. If you have any questions please email UFRM@mail.ufl.edu, noting your Request number in the email’s subject line.

 The UF assessment process involves multiple units including, but not limited to:
  • Privacy Office
  • Information Security Office
  • Office of the General Counsel
  • Institutional Review Board
  • Procurement Services
  • Principal Investigator
  • Organizational Investigator
  • Vendor

Each Request is reviewed for the following criteria: security, privacy, and alignment with campus technology goals. This process involves multiple units, including the Information Security Office, the Privacy Office, the Office of the General Counsel, and Procurement Services. It will take two business days for a determination to be made by the departments involved with regards to the next steps for your Request. Please see Figure 1. UF Assessment Process Workflow and Figure 2. The Stages of A Risk Assessment below for additional information.

The Information Security Office makes its determinations based on the classification of data being used for that project. Open, Sensitive, and Restricted are the three data classification types at UF, and each requires a different level of scrutiny for assessments. For more information about data classification please click here. Any vagueness and lack of specific information will delay the process, so please be as complete and specific as possible when completing the Request form.

The Privacy Office bases its decisions on the classification of data as well as data sharing and authorization to use restricted data. FERPA, HIPAA, COPPA, medical, and education records are all taken into consideration when making a determination. For more information on privacy policies please click here. If this study involves human subjects and no IRB is available when completing the Request, then the IRB office must be contacted, which will delay the project.

Procurement Services ensures that purchases have gone through the risk assessment process. The renewal of an existing license or services that does not exceed $150,000 will be approved immediately upon completion of the Request form.  A Board of Governors regulation requires that UF Procurement Services place a purchasing hold on all requisitions that exceed $150,000 to review the project through the purchasing process. It is strongly recommended that you contact Procurement Services for purchases that exceed $150,000 to not further delay the risk assessment process.

Alignment with technology goals of the University of Florida includes reducing the university’s overall risk by using environments that have been previously assessed (vetted). Your request will be directed towards a business relationship manager to help you determine if it can be implemented within a pre-vetted environment. Utilizing pre-vetted environments can substantially reduce the amount of time necessary to complete a risk assessment. You will receive emails to keep you informed during this process.

Create Request goes through either Renewal or No Restricted Data, which is approved and inventoried for future risk assessment, or Aligned with Enterprise Strategy, which goes to Technology Review, or Restricted Data, which goes to Risk Assessment. Approved and Risk assessment goes to contract negotiation and create purchase order.
Figure 1. This figure illustrates the risk assessment process workflow and shows that multiple parties are involved in the risk assessment process.
1. Submit Request (UF Unit describes project) 2. Review Request (IRM reviews with Procurement, Privacy, General Counsel, IRB, etc. assigns Risk Analyst) 3. Categorization (ISM describes project scope, components, ISO gathers supporting docs) 4. Assessment (ISM completes technology surveys, ISO reviews completed surveys, develops risk remediation plans) 5. Risk Report (UF Unit review of risk eval)
Figure 2. This figure represents the steps that a risk assessment can involve depending on the scope and availability of supporting documentation.