The university has a policy requiring that all information systems must be assessed for risk to protect the availability and confidentiality of University of Florida data. During your Protecting UF: Information Security Awareness training, you learned that if you had a special use case for an application or hardware platform that was not covered by a Fast Path Solution, you need to open a risk assessment. The purpose behind the assessment is to help individuals and organizations understand the potential risks that may be associated with a technology solution, provide recommendations to mitigate the risk, and allow for informed decision making before embarking on a path that may open the university up to liability.
If you have ever gone through a risk assessment, you may have encountered some challenges navigating the process. The wording on the intake and categorization may be confusing, data flow diagrams may be challenging to create, and getting a vendor to provide documentation may be time consuming. Even worse, sometimes a risk assessment may seem to be stuck in a black hole with no information on when it will be completed.
Part of the challenge is the process of completing a risk assessment involves multiple parties including yourself, college IT staff, the product vendor, and the UF Risk Management team. But more complicated risk assessments, especially ones involving human or animal subjects, may also involve the UF Privacy Office, General Counsel, Procurement, IRB, IACUC, and the UF Research Office. Navigating these waters can make the process time consuming and difficult to follow.
There have been many complaints about the current process and UFIT has listened. This October, the UFIT Risk Management team will begin a soft launch of a revised risk management process, which should provide some relief. UFIT will begin training Information Security Managers on the new process at the end of September. To help with the new process, CLAS IT has gone through some internal re-organization and hired a new Information Security Manager, Joey Serrano, who will be joining us in mid-September. Part of his job will be to manage the new Risk Management process for our college and by working closely with the faculty and the UFIT Risk Management team, help our faculty with their risk assessments.
Joey and I look will provide more information on the new program later this fall.